import pam-1.5.1-14.el9

.gitignore

@@ -0,0 +1,2 @@
+SOURCES/Linux-PAM-1.5.1.tar.xz
+SOURCES/pam-redhat-1.1.4.tar.bz2

.pam.metadata

@@ -0,0 +1,2 @@
+ad43b7fbdfdd38886fdf27e098b49f2db1c2a13d SOURCES/Linux-PAM-1.5.1.tar.xz
+bf661c44f34c2d4d34eaee695b36e638f4d44ba8 SOURCES/pam-redhat-1.1.4.tar.bz2

SOURCES/Linux-PAM-1.5.1.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCAAGBQJfvo0CAAoJEKgEH6g54W42L+0P/19bgVH4cRd7ONZLwYvWvWlQ
+NXkjwn26MEXElWESlKnQQz08W5QASWCz3vgAn9NGDmS+lJ38i4Li4aGpn3COPE2g
+BAN9LEaAErK60b3ZkWwDEARDs1JntA1vUuuHx0EoLEMtFEeU20h5PPMrsDwu7LGF
+sD6KYdM6TWLMXcRybqGOeWmWxfp8S8MVNwVN3C3q0aVIOMxky0i4rzCL7zRTJztQ
+q7FaX2xrTGfUiAI7smT/KGoK7pbQTzZtoR67uE/2WZ4bSyWMZcuDkt16WP/L6x9v
+c5DnVaLazM9xYUAOn4tlPiG8LLmfXo1MjD+KOS9byAx+uTij3avxaC/vv0BDcATH
+jywxH8iTPkvYXP0uJIa4Gbs1qi3vNZn+gaQt/T+rCVNo3dfFZZxBvLbTQ8AN1hKr
+MnoQbIQh0buuSuwmAxF0EDIefX3bDCurKOTQrRajK7huFm0w2NgBqL8WR8f1Wmm9
+mGSdKuVpWSk5uEygCUFOfwviYbi1I1K2Dmo3TsLBgNPKvAF3LAGJC7KzD+Q+Nmos
+XBOljilcAfdJ7t2P8W7xTSMEnXu7nI1TM+Er80ukfu0fipJEP0xyi+XWh+2n0Bx+
+3wwt8fSL7rmI4I4l6GRb3Jk/Gq1bKy956tgm3TE6gXTXVGZqNs0E28rNRURXDqZu
+XrjVwhlpsH/Auk17hU65
+=E0ev
+-----END PGP SIGNATURE-----

SOURCES/config-util.5

@@ -0,0 +1,36 @@
+.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual"
+.SH NAME
+
+config-util \- Common PAM configuration file for configuration utilities
+
+.SH SYNOPSIS
+.B /etc/pam.d/config-util
+.sp 2
+.SH DESCRIPTION
+
+The purpose of this configuration file is to provide common 
+configuration file for all configuration utilities which must be run
+from the supervisor account and use the userhelper wrapper application.
+
+.sp
+The
+.BR config-util
+configuration file is included from all individual configuration
+files of such utilities with the help of the
+.BR include
+directive.
+There are not usually any other modules in the individual configuration
+files of these utilities.
+
+.sp
+It is possible for example to modify duration of the validity of the 
+authentication timestamp there. See
+.BR pam_timestamp(8)
+for details.
+
+.SH BUGS
+.sp 2
+None known.
+
+.SH "SEE ALSO"
+pam(8), config-util(5), pam_timestamp(8)

SOURCES/config-util.pamd

@@ -0,0 +1,8 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		sufficient	pam_timestamp.so
+auth		include		system-auth
+account		required	pam_permit.so
+session		required	pam_permit.so
+session		optional	pam_xauth.so
+session		optional	pam_timestamp.so

SOURCES/dlopen.sh

@@ -0,0 +1,75 @@
+#!/bin/sh
+
+tempdir=`mktemp -d /tmp/dlopenXXXXXX`
+test -n "$tempdir" || exit 1
+cat >> $tempdir/dlopen.c << _EOF
+#include <dlfcn.h>
+#include <stdio.h>
+#include <limits.h>
+#include <sys/stat.h>
+/* Simple program to see if dlopen() would succeed. */
+int main(int argc, char **argv)
+{
+	int i;
+	struct stat st;
+	char buf[PATH_MAX];
+	for (i = 1; i < argc; i++) {
+		if (dlopen(argv[i], RTLD_NOW)) {
+			fprintf(stdout, "dlopen() of \"%s\" succeeded.\n",
+				argv[i]);
+		} else {
+			snprintf(buf, sizeof(buf), "./%s", argv[i]);
+			if ((stat(buf, &st) == 0) && dlopen(buf, RTLD_NOW)) {
+				fprintf(stdout, "dlopen() of \"./%s\" "
+					"succeeded.\n", argv[i]);
+			} else {
+				fprintf(stdout, "dlopen() of \"%s\" failed: "
+					"%s\n", argv[i], dlerror());
+				return 1;
+			}
+		}
+	}
+	return 0;
+}
+_EOF
+
+for arg in $@ ; do
+	case "$arg" in
+	"")
+		;;
+	-I*|-D*|-f*|-m*|-g*|-O*|-W*)
+		cflags="$cflags $arg"
+		;;
+	-l*|-L*)
+		ldflags="$ldflags $arg"
+		;;
+	/*)
+		modules="$modules $arg"
+		;;
+	*)
+		modules="$modules $arg"
+		;;
+	esac
+done
+
+${CC:-gcc} $RPM_OPT_FLAGS $CFLAGS -o $tempdir/dlopen $cflags $tempdir/dlopen.c $ldflags -ldl
+
+retval=0
+for module in $modules ; do
+	case "$module" in
+	"")
+		;;
+	/*)
+		$tempdir/dlopen "$module"
+		retval=$?
+		;;
+	*)
+		$tempdir/dlopen ./"$module"
+		retval=$?
+		;;
+	esac
+done
+
+rm -f $tempdir/dlopen $tempdir/dlopen.c
+rmdir $tempdir
+exit $retval

SOURCES/fingerprint-auth.pamd

@@ -0,0 +1,19 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authselect is run.
+auth        required      pam_env.so
+auth        sufficient    pam_fprintd.so
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     required      pam_permit.so
+
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so

SOURCES/gpl-2.0.txt

@@ -0,0 +1,339 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.

SOURCES/other.pamd

@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth     required       pam_deny.so
+account  required       pam_deny.so
+password required       pam_deny.so
+session  required       pam_deny.so

SOURCES/pam-1.3.0-unix-nomsg.patch

@@ -0,0 +1,16 @@
+diff -up Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c
+--- Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg	2016-04-11 13:08:47.000000000 +0200
++++ Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c	2017-04-20 16:51:24.853106709 +0200
+@@ -687,12 +687,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
+ 			return PAM_SUCCESS;
+ 		} else if (off(UNIX__IAMROOT, ctrl) ||
+ 			   (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) {
+-			/* instruct user what is happening */
+-			if (off(UNIX__QUIET, ctrl)) {
+-				retval = pam_info(pamh, _("Changing password for %s."), user);
+-				if (retval != PAM_SUCCESS)
+-					return retval;
+-			}
+ 			retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass_old, NULL);
+ 
+ 			if (retval != PAM_SUCCESS) {

SOURCES/pam-1.5.0-noflex.patch

@@ -0,0 +1,24 @@
+diff -up Linux-PAM-1.5.0/doc/Makefile.am.noflex Linux-PAM-1.5.0/doc/Makefile.am
+--- Linux-PAM-1.5.0/doc/Makefile.am.noflex	2020-11-10 16:46:13.000000000 +0100
++++ Linux-PAM-1.5.0/doc/Makefile.am	2020-11-11 11:39:00.980421433 +0100
+@@ -2,7 +2,7 @@
+ # Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+ #
+ 
+-SUBDIRS = man specs sag adg mwg
++SUBDIRS = man sag adg mwg
+ 
+ CLEANFILES = *~
+ 
+diff -up Linux-PAM-1.5.0/Makefile.am.noflex Linux-PAM-1.5.0/Makefile.am
+--- Linux-PAM-1.5.0/Makefile.am.noflex	2020-11-11 11:39:00.980421433 +0100
++++ Linux-PAM-1.5.0/Makefile.am	2020-11-11 11:39:15.887625418 +0100
+@@ -4,7 +4,7 @@
+ 
+ AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news
+ 
+-SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
++SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
+ 
+ if HAVE_DOC
+ SUBDIRS += doc

SOURCES/pam-1.5.0-redhat-modules.patch

@@ -0,0 +1,25 @@
+diff -up Linux-PAM-1.5.0/configure.ac.redhat-modules Linux-PAM-1.5.0/configure.ac
+--- Linux-PAM-1.5.0/configure.ac.redhat-modules	2020-11-11 11:21:21.947857371 +0100
++++ Linux-PAM-1.5.0/configure.ac	2020-11-11 11:22:58.638193747 +0100
+@@ -639,6 +639,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
+ 	po/Makefile.in \
+ 	Make.xml.rules \
+ 	modules/Makefile \
++	modules/pam_chroot/Makefile modules/pam_console/Makefile \
++	modules/pam_postgresok/Makefile \
+ 	modules/pam_access/Makefile \
+         modules/pam_debug/Makefile modules/pam_deny/Makefile \
+ 	modules/pam_echo/Makefile modules/pam_env/Makefile \
+diff -up Linux-PAM-1.5.0/modules/Makefile.am.redhat-modules Linux-PAM-1.5.0/modules/Makefile.am
+--- Linux-PAM-1.5.0/modules/Makefile.am.redhat-modules	2020-11-10 16:46:13.000000000 +0100
++++ Linux-PAM-1.5.0/modules/Makefile.am	2020-11-11 11:21:21.947857371 +0100
+@@ -47,6 +47,9 @@ SUBDIRS := \
+ 	pam_debug \
+ 	pam_deny \
+ 	pam_echo \
++	pam_chroot \
++	pam_console \
++	pam_postgresok \
+ 	pam_env \
+ 	pam_exec \
+ 	pam_faildelay \

SOURCES/pam-1.5.1-faillock-load-conf-from-file.patch

@@ -0,0 +1,848 @@
+diff -up Linux-PAM-1.5.1/modules/pam_faillock/faillock.8.xml.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/faillock.8.xml
+--- Linux-PAM-1.5.1/modules/pam_faillock/faillock.8.xml.faillock-load-conf-from-file	2020-11-25 17:57:02.000000000 +0100
++++ Linux-PAM-1.5.1/modules/pam_faillock/faillock.8.xml	2022-05-25 15:30:33.700518571 +0200
+@@ -57,12 +57,29 @@
+          <variablelist>
+             <varlistentry>
+               <term>
++                <option>--conf <replaceable>/path/to/config-file</replaceable></option>
++              </term>
++              <listitem>
++                <para>
++                  The file where the configuration is located. The default is
++                  <filename>/etc/security/faillock.conf</filename>.
++                </para>
++              </listitem>
++            </varlistentry>
++            <varlistentry>
++              <term>
+                 <option>--dir <replaceable>/path/to/tally-directory</replaceable></option>
+               </term>
+               <listitem>
+                 <para>
+-                  The directory where the user files with the failure records are kept. The
+-                  default is <filename>/var/run/faillock</filename>.
++                  The directory where the user files with the failure records are kept.
++                </para>
++                <para>
++                  The priority to set this option is to use the value provided
++                  from the command line. If this isn't provided, then the value
++                  from the configuration file is used. Finally, if neither of
++                  them has been provided, then
++                  <filename>/var/run/faillock</filename> is used.
+                 </para>
+               </listitem>
+             </varlistentry>
+diff -up Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.c.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.c
+--- Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.c.faillock-load-conf-from-file	2022-05-25 15:30:33.699518564 +0200
++++ Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.c	2022-05-25 15:30:33.700518571 +0200
+@@ -0,0 +1,263 @@
++/*
++ * Copyright (c) 2022 Tomas Mraz <tm@t8m.info>
++ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, and the entire permission notice in its entirety,
++ *    including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ *    products derived from this software without specific prior
++ *    written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions.  (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "config.h"
++
++#include <ctype.h>
++#include <errno.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <syslog.h>
++
++#include <security/pam_modules.h>
++
++#include "faillock_config.h"
++#include "faillock.h"
++
++#define FAILLOCK_DEFAULT_CONF "/etc/security/faillock.conf"
++
++static void PAM_FORMAT((printf, 3, 4)) PAM_NONNULL((3))
++config_log(const pam_handle_t *pamh, int priority, const char *fmt, ...)
++{
++	va_list args;
++
++	va_start(args, fmt);
++	if (pamh) {
++		pam_vsyslog(pamh, priority, fmt, args);
++	} else {
++		char *buf = NULL;
++
++		if (vasprintf(&buf, fmt, args) < 0) {
++			fprintf(stderr, "vasprintf: %m");
++			va_end(args);
++			return;
++		}
++		fprintf(stderr, "%s\n", buf);
++		free(buf);
++	}
++	va_end(args);
++}
++
++/* parse a single configuration file */
++int
++read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile)
++{
++	char linebuf[FAILLOCK_CONF_MAX_LINELEN+1];
++	const char *fname = (cfgfile != NULL) ? cfgfile : FAILLOCK_DEFAULT_CONF;
++	FILE *f = fopen(fname, "r");
++
++#ifdef VENDOR_FAILLOCK_DEFAULT_CONF
++	if (f == NULL && errno == ENOENT && cfgfile == NULL) {
++		/*
++		 * If the default configuration file in /etc does not exist,
++		 * try the vendor configuration file as fallback.
++		 */
++		f = fopen(VENDOR_FAILLOCK_DEFAULT_CONF, "r");
++	}
++#endif /* VENDOR_FAILLOCK_DEFAULT_CONF */
++
++	if (f == NULL) {
++		/* ignore non-existent default config file */
++		if (errno == ENOENT && cfgfile == NULL)
++			return PAM_SUCCESS;
++		return PAM_SERVICE_ERR;
++	}
++
++	while (fgets(linebuf, sizeof(linebuf), f) != NULL) {
++		size_t len;
++		char *ptr;
++		char *name;
++		int eq;
++
++		len = strlen(linebuf);
++		/* len cannot be 0 unless there is a bug in fgets */
++		if (len && linebuf[len - 1] != '\n' && !feof(f)) {
++			(void) fclose(f);
++			return PAM_SERVICE_ERR;
++		}
++
++		if ((ptr=strchr(linebuf, '#')) != NULL) {
++			*ptr = '\0';
++		} else {
++			ptr = linebuf + len;
++		}
++
++		/* drop terminating whitespace including the \n */
++		while (ptr > linebuf) {
++			if (!isspace(*(ptr-1))) {
++				*ptr = '\0';
++				break;
++			}
++			--ptr;
++		}
++
++		/* skip initial whitespace */
++		for (ptr = linebuf; isspace(*ptr); ptr++);
++		if (*ptr == '\0')
++			continue;
++
++		/* grab the key name */
++		eq = 0;
++		name = ptr;
++		while (*ptr != '\0') {
++			if (isspace(*ptr) || *ptr == '=') {
++				eq = *ptr == '=';
++				*ptr = '\0';
++				++ptr;
++				break;
++			}
++			++ptr;
++		}
++
++		/* grab the key value */
++		while (*ptr != '\0') {
++			if (*ptr != '=' || eq) {
++				if (!isspace(*ptr)) {
++					break;
++				}
++			} else {
++				eq = 1;
++			}
++			++ptr;
++		}
++
++		/* set the key:value pair on opts */
++		set_conf_opt(pamh, opts, name, ptr);
++	}
++
++	(void)fclose(f);
++	return PAM_SUCCESS;
++}
++
++void
++set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name,
++			 const char *value)
++{
++	if (strcmp(name, "dir") == 0) {
++		if (value[0] != '/') {
++			config_log(pamh, LOG_ERR,
++					"Tally directory is not absolute path (%s); keeping value",
++					value);
++		} else {
++			free(opts->dir);
++			opts->dir = strdup(value);
++			if (opts->dir == NULL) {
++				opts->fatal_error = 1;
++				config_log(pamh, LOG_CRIT, "Error allocating memory: %m");
++			}
++		}
++	}
++	else if (strcmp(name, "deny") == 0) {
++		if (sscanf(value, "%hu", &opts->deny) != 1) {
++			config_log(pamh, LOG_ERR,
++				"Bad number supplied for deny argument");
++		}
++	}
++	else if (strcmp(name, "fail_interval") == 0) {
++		unsigned int temp;
++		if (sscanf(value, "%u", &temp) != 1 ||
++			temp > MAX_TIME_INTERVAL) {
++			config_log(pamh, LOG_ERR,
++				"Bad number supplied for fail_interval argument");
++		} else {
++			opts->fail_interval = temp;
++		}
++	}
++	else if (strcmp(name, "unlock_time") == 0) {
++		unsigned int temp;
++
++		if (strcmp(value, "never") == 0) {
++			opts->unlock_time = 0;
++		}
++		else if (sscanf(value, "%u", &temp) != 1 ||
++			temp > MAX_TIME_INTERVAL) {
++			config_log(pamh, LOG_ERR,
++				"Bad number supplied for unlock_time argument");
++		}
++		else {
++			opts->unlock_time = temp;
++		}
++	}
++	else if (strcmp(name, "root_unlock_time") == 0) {
++		unsigned int temp;
++
++		if (strcmp(value, "never") == 0) {
++			opts->root_unlock_time = 0;
++		}
++		else if (sscanf(value, "%u", &temp) != 1 ||
++			temp > MAX_TIME_INTERVAL) {
++			config_log(pamh, LOG_ERR,
++				"Bad number supplied for root_unlock_time argument");
++		} else {
++			opts->root_unlock_time = temp;
++		}
++	}
++	else if (strcmp(name, "admin_group") == 0) {
++		free(opts->admin_group);
++		opts->admin_group = strdup(value);
++		if (opts->admin_group == NULL) {
++			opts->fatal_error = 1;
++			config_log(pamh, LOG_CRIT, "Error allocating memory: %m");
++		}
++	}
++	else if (strcmp(name, "even_deny_root") == 0) {
++		opts->flags |= FAILLOCK_FLAG_DENY_ROOT;
++	}
++	else if (strcmp(name, "audit") == 0) {
++		opts->flags |= FAILLOCK_FLAG_AUDIT;
++	}
++	else if (strcmp(name, "silent") == 0) {
++		opts->flags |= FAILLOCK_FLAG_SILENT;
++	}
++	else if (strcmp(name, "no_log_info") == 0) {
++		opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO;
++	}
++	else if (strcmp(name, "local_users_only") == 0) {
++		opts->flags |= FAILLOCK_FLAG_LOCAL_ONLY;
++	}
++	else if (strcmp(name, "nodelay") == 0) {
++		opts->flags |= FAILLOCK_FLAG_NO_DELAY;
++	}
++	else {
++		config_log(pamh, LOG_ERR, "Unknown option: %s", name);
++	}
++}
++
++const char *get_tally_dir(const struct options *opts)
++{
++	return (opts->dir != NULL) ? opts->dir : FAILLOCK_DEFAULT_TALLYDIR;
++}
+diff -up Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.h.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.h
+--- Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.h.faillock-load-conf-from-file	2022-05-25 15:30:33.699518564 +0200
++++ Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.h	2022-05-25 15:30:33.700518571 +0200
+@@ -0,0 +1,89 @@
++/*
++ * Copyright (c) 2022 Tomas Mraz <tm@t8m.info>
++ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, and the entire permission notice in its entirety,
++ *    including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ *    products derived from this software without specific prior
++ *    written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions.  (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++/*
++ * faillock_config.h - load configuration options from file
++ *
++ */
++
++#ifndef _FAILLOCK_CONFIG_H
++#define _FAILLOCK_CONFIG_H
++
++#include <limits.h>
++#include <stdint.h>
++#include <sys/types.h>
++
++#include <security/pam_ext.h>
++
++#define FAILLOCK_FLAG_DENY_ROOT		0x1
++#define FAILLOCK_FLAG_AUDIT			0x2
++#define FAILLOCK_FLAG_SILENT		0x4
++#define FAILLOCK_FLAG_NO_LOG_INFO	0x8
++#define FAILLOCK_FLAG_UNLOCKED		0x10
++#define FAILLOCK_FLAG_LOCAL_ONLY	0x20
++#define FAILLOCK_FLAG_NO_DELAY		0x40
++
++#define FAILLOCK_CONF_MAX_LINELEN 	1023
++#define MAX_TIME_INTERVAL			604800 /* 7 days */
++
++struct options {
++	unsigned int action;
++	unsigned int flags;
++	unsigned short deny;
++	unsigned int fail_interval;
++	unsigned int unlock_time;
++	unsigned int root_unlock_time;
++	char *dir;
++	const char *user;
++	char *admin_group;
++	int failures;
++	uint64_t latest_time;
++	uid_t uid;
++	int is_admin;
++	uint64_t now;
++	int fatal_error;
++
++	unsigned int reset;
++	const char *progname;
++};
++
++int read_config_file(pam_handle_t *pamh, struct options *opts,
++					 const char *cfgfile);
++void set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name,
++		  const char *value);
++const char *get_tally_dir(const struct options *opts);
++
++#endif /* _FAILLOCK_CONFIG_H */
+diff -up Linux-PAM-1.5.1/modules/pam_faillock/main.c.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/main.c
+--- Linux-PAM-1.5.1/modules/pam_faillock/main.c.faillock-load-conf-from-file	2020-11-25 17:57:02.000000000 +0100
++++ Linux-PAM-1.5.1/modules/pam_faillock/main.c	2022-05-25 15:37:05.801216176 +0200
+@@ -51,33 +51,40 @@
+ #define AUDIT_NO_ID     ((unsigned int) -1)
+ #endif
+ 
++#include "pam_inline.h"
+ #include "faillock.h"
+-
+-struct options {
+-	unsigned int reset;
+-	const char *dir;
+-	const char *user;
+-	const char *progname;
+-};
++#include "faillock_config.h"
+ 
+ static int
+ args_parse(int argc, char **argv, struct options *opts)
+ {
+ 	int i;
++	int rv;
++	const char *dir = NULL;
++	const char *conf = NULL;
++
+ 	memset(opts, 0, sizeof(*opts));
+ 
+-	opts->dir = FAILLOCK_DEFAULT_TALLYDIR;
+ 	opts->progname = argv[0];
+ 
+ 	for (i = 1; i < argc; ++i) {
+-
+-		if (strcmp(argv[i], "--dir") == 0) {
++		if (strcmp(argv[i], "--conf") == 0) {
++			++i;
++			if (i >= argc || strlen(argv[i]) == 0) {
++				fprintf(stderr, "%s: No configuration file supplied.\n",
++						argv[0]);
++				return -1;
++			}
++			conf = argv[i];
++		}
++		else if (strcmp(argv[i], "--dir") == 0) {
+ 			++i;
+ 			if (i >= argc || strlen(argv[i]) == 0) {
+-				fprintf(stderr, "%s: No directory supplied.\n", argv[0]);
++				fprintf(stderr, "%s: No records directory supplied.\n",
++						argv[0]);
+ 				return -1;
+ 			}
+-		        opts->dir = argv[i];
++			dir = argv[i];
+ 		}
+ 		else if (strcmp(argv[i], "--user") == 0) {
+ 			++i;
+@@ -85,7 +92,7 @@ args_parse(int argc, char **argv, struct
+ 				fprintf(stderr, "%s: No user name supplied.\n", argv[0]);
+ 				return -1;
+ 			}
+-		        opts->user = argv[i];
++			opts->user = argv[i];
+ 		}
+ 		else if (strcmp(argv[i], "--reset") == 0) {
+ 			opts->reset = 1;
+@@ -95,6 +102,21 @@ args_parse(int argc, char **argv, struct
+ 			return -1;
+ 		}
+ 	}
++
++	if ((rv = read_config_file(NULL, opts, conf)) != PAM_SUCCESS) {
++		fprintf(stderr, "Configuration file missing or broken");
++		return rv;
++	}
++
++	if (dir != NULL) {
++		free(opts->dir);
++		opts->dir = strdup(dir);
++		if (opts->dir == NULL) {
++			fprintf(stderr, "Error allocating memory: %m");
++			return -1;
++		}
++	}
++
+ 	return 0;
+ }
+ 
+@@ -112,10 +134,11 @@ do_user(struct options *opts, const char
+ 	int rv;
+ 	struct tally_data tallies;
+ 	struct passwd *pwd;
++	const char *dir = get_tally_dir(opts);
+ 
+ 	pwd = getpwnam(user);
+ 
+-	fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0);
++	fd = open_tally(dir, user, pwd != NULL ? pwd->pw_uid : 0, 0);
+ 
+ 	if (fd == -1) {
+ 		if (errno == ENOENT) {
+@@ -191,8 +214,9 @@ do_allusers(struct options *opts)
+ {
+ 	struct dirent **userlist;
+ 	int rv, i;
++	const char *dir = get_tally_dir(opts);
+ 
+-	rv = scandir(opts->dir, &userlist, NULL, alphasort);
++	rv = scandir(dir, &userlist, NULL, alphasort);
+ 	if (rv < 0) {
+ 		fprintf(stderr, "%s: Error reading tally directory: %m\n", opts->progname);
+ 		return 2;
+diff -up Linux-PAM-1.5.1/modules/pam_faillock/Makefile.am.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/Makefile.am
+--- Linux-PAM-1.5.1/modules/pam_faillock/Makefile.am.faillock-load-conf-from-file	2020-11-25 17:57:02.000000000 +0100
++++ Linux-PAM-1.5.1/modules/pam_faillock/Makefile.am	2022-05-25 15:30:33.700518571 +0200
+@@ -20,7 +20,7 @@ TESTS = $(dist_check_SCRIPTS)
+ securelibdir = $(SECUREDIR)
+ secureconfdir = $(SCONFIGDIR)
+ 
+-noinst_HEADERS = faillock.h
++noinst_HEADERS = faillock.h faillock_config.h
+ 
+ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+ 	$(WARN_CFLAGS)
+@@ -41,8 +41,8 @@ dist_secureconf_DATA = faillock.conf
+ securelib_LTLIBRARIES = pam_faillock.la
+ sbin_PROGRAMS = faillock
+ 
+-pam_faillock_la_SOURCES = pam_faillock.c faillock.c
+-faillock_SOURCES = main.c faillock.c
++pam_faillock_la_SOURCES = pam_faillock.c faillock.c faillock_config.c
++faillock_SOURCES = main.c faillock.c faillock_config.c
+ 
+ if ENABLE_REGENERATE_MAN
+ dist_noinst_DATA = README
+diff -up Linux-PAM-1.5.1/modules/pam_faillock/pam_faillock.c.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/pam_faillock.c
+--- Linux-PAM-1.5.1/modules/pam_faillock/pam_faillock.c.faillock-load-conf-from-file	2020-11-25 17:57:02.000000000 +0100
++++ Linux-PAM-1.5.1/modules/pam_faillock/pam_faillock.c	2022-05-25 15:33:03.885551825 +0200
+@@ -38,7 +38,6 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <unistd.h>
+-#include <stdint.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ #include <time.h>
+@@ -56,55 +55,12 @@
+ 
+ #include "pam_inline.h"
+ #include "faillock.h"
++#include "faillock_config.h"
+ 
+ #define FAILLOCK_ACTION_PREAUTH  0
+ #define FAILLOCK_ACTION_AUTHSUCC 1
+ #define FAILLOCK_ACTION_AUTHFAIL 2
+ 
+-#define FAILLOCK_FLAG_DENY_ROOT		0x1
+-#define FAILLOCK_FLAG_AUDIT		0x2
+-#define FAILLOCK_FLAG_SILENT		0x4
+-#define FAILLOCK_FLAG_NO_LOG_INFO	0x8
+-#define FAILLOCK_FLAG_UNLOCKED		0x10
+-#define FAILLOCK_FLAG_LOCAL_ONLY	0x20
+-#define FAILLOCK_FLAG_NO_DELAY		0x40
+-
+-#define MAX_TIME_INTERVAL 604800 /* 7 days */
+-#define FAILLOCK_CONF_MAX_LINELEN 1023
+-
+-static const char default_faillock_conf[] = FAILLOCK_DEFAULT_CONF;
+-
+-struct options {
+-	unsigned int action;
+-	unsigned int flags;
+-	unsigned short deny;
+-	unsigned int fail_interval;
+-	unsigned int unlock_time;
+-	unsigned int root_unlock_time;
+-	char *dir;
+-	const char *user;
+-	char *admin_group;
+-	int failures;
+-	uint64_t latest_time;
+-	uid_t uid;
+-	int is_admin;
+-	uint64_t now;
+-	int fatal_error;
+-};
+-
+-static int read_config_file(
+-	pam_handle_t *pamh,
+-	struct options *opts,
+-	const char *cfgfile
+-);
+-
+-static void set_conf_opt(
+-	pam_handle_t *pamh,
+-	struct options *opts,
+-	const char *name,
+-	const char *value
+-);
+-
+ static int
+ args_parse(pam_handle_t *pamh, int argc, const char **argv,
+ 		int flags, struct options *opts)
+@@ -112,11 +68,10 @@ args_parse(pam_handle_t *pamh, int argc,
+ 	int i;
+ 	int config_arg_index = -1;
+ 	int rv;
+-	const char *conf = default_faillock_conf;
++	const char *conf = NULL;
+ 
+ 	memset(opts, 0, sizeof(*opts));
+ 
+-	opts->dir = strdup(FAILLOCK_DEFAULT_TALLYDIR);
+ 	opts->deny = 3;
+ 	opts->fail_interval = 900;
+ 	opts->unlock_time = 600;
+@@ -174,185 +129,11 @@ args_parse(pam_handle_t *pamh, int argc,
+ 	if (flags & PAM_SILENT)
+ 		opts->flags |= FAILLOCK_FLAG_SILENT;
+ 
+-	if (opts->dir == NULL) {
+-		pam_syslog(pamh, LOG_CRIT, "Error allocating memory: %m");
+-		opts->fatal_error = 1;
+-	}
+-
+ 	if (opts->fatal_error)
+ 		return PAM_BUF_ERR;
+ 	return PAM_SUCCESS;
+ }
+ 
+-/* parse a single configuration file */
+-static int
+-read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile)
+-{
+-	FILE *f;
+-	char linebuf[FAILLOCK_CONF_MAX_LINELEN+1];
+-
+-	f = fopen(cfgfile, "r");
+-	if (f == NULL) {
+-		/* ignore non-existent default config file */
+-		if (errno == ENOENT && cfgfile == default_faillock_conf)
+-			return PAM_SUCCESS;
+-		return PAM_SERVICE_ERR;
+-	}
+-
+-	while (fgets(linebuf, sizeof(linebuf), f) != NULL) {
+-		size_t len;
+-		char *ptr;
+-		char *name;
+-		int eq;
+-
+-		len = strlen(linebuf);
+-		/* len cannot be 0 unless there is a bug in fgets */
+-		if (len && linebuf[len - 1] != '\n' && !feof(f)) {
+-			(void) fclose(f);
+-			return PAM_SERVICE_ERR;
+-		}
+-
+-		if ((ptr=strchr(linebuf, '#')) != NULL) {
+-			*ptr = '\0';
+-		} else {
+-			ptr = linebuf + len;
+-		}
+-
+-		/* drop terminating whitespace including the \n */
+-		while (ptr > linebuf) {
+-			if (!isspace(*(ptr-1))) {
+-				*ptr = '\0';
+-				break;
+-			}
+-			--ptr;
+-		}
+-
+-		/* skip initial whitespace */
+-		for (ptr = linebuf; isspace(*ptr); ptr++);
+-		if (*ptr == '\0')
+-			continue;
+-
+-		/* grab the key name */
+-		eq = 0;
+-		name = ptr;
+-		while (*ptr != '\0') {
+-			if (isspace(*ptr) || *ptr == '=') {
+-				eq = *ptr == '=';
+-				*ptr = '\0';
+-				++ptr;
+-				break;
+-			}
+-			++ptr;
+-		}
+-
+-		/* grab the key value */
+-		while (*ptr != '\0') {
+-			if (*ptr != '=' || eq) {
+-				if (!isspace(*ptr)) {
+-					break;
+-				}
+-			} else {
+-				eq = 1;
+-			}
+-			++ptr;
+-		}
+-
+-		/* set the key:value pair on opts */
+-		set_conf_opt(pamh, opts, name, ptr);
+-	}
+-
+-	(void)fclose(f);
+-	return PAM_SUCCESS;
+-}
+-
+-static void
+-set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, const char *value)
+-{
+-	if (strcmp(name, "dir") == 0) {
+-		if (value[0] != '/') {
+-			pam_syslog(pamh, LOG_ERR,
+-				"Tally directory is not absolute path (%s); keeping default", value);
+-		} else {
+-			free(opts->dir);
+-			opts->dir = strdup(value);
+-		}
+-	}
+-	else if (strcmp(name, "deny") == 0) {
+-		if (sscanf(value, "%hu", &opts->deny) != 1) {
+-			pam_syslog(pamh, LOG_ERR,
+-				"Bad number supplied for deny argument");
+-		}
+-	}
+-	else if (strcmp(name, "fail_interval") == 0) {
+-		unsigned int temp;
+-		if (sscanf(value, "%u", &temp) != 1 ||
+-			temp > MAX_TIME_INTERVAL) {
+-			pam_syslog(pamh, LOG_ERR,
+-				"Bad number supplied for fail_interval argument");
+-		} else {
+-			opts->fail_interval = temp;
+-		}
+-	}
+-	else if (strcmp(name, "unlock_time") == 0) {
+-		unsigned int temp;
+-
+-		if (strcmp(value, "never") == 0) {
+-			opts->unlock_time = 0;
+-		}
+-		else if (sscanf(value, "%u", &temp) != 1 ||
+-			temp > MAX_TIME_INTERVAL) {
+-			pam_syslog(pamh, LOG_ERR,
+-				"Bad number supplied for unlock_time argument");
+-		}
+-		else {
+-			opts->unlock_time = temp;
+-		}
+-	}
+-	else if (strcmp(name, "root_unlock_time") == 0) {
+-		unsigned int temp;
+-
+-		if (strcmp(value, "never") == 0) {
+-			opts->root_unlock_time = 0;
+-		}
+-		else if (sscanf(value, "%u", &temp) != 1 ||
+-			temp > MAX_TIME_INTERVAL) {
+-			pam_syslog(pamh, LOG_ERR,
+-				"Bad number supplied for root_unlock_time argument");
+-		} else {
+-			opts->root_unlock_time = temp;
+-		}
+-	}
+-	else if (strcmp(name, "admin_group") == 0) {
+-		free(opts->admin_group);
+-		opts->admin_group = strdup(value);
+-		if (opts->admin_group == NULL) {
+-			opts->fatal_error = 1;
+-			pam_syslog(pamh, LOG_CRIT, "Error allocating memory: %m");
+-		}
+-	}
+-	else if (strcmp(name, "even_deny_root") == 0) {
+-		opts->flags |= FAILLOCK_FLAG_DENY_ROOT;
+-	}
+-	else if (strcmp(name, "audit") == 0) {
+-		opts->flags |= FAILLOCK_FLAG_AUDIT;
+-	}
+-	else if (strcmp(name, "silent") == 0) {
+-		opts->flags |= FAILLOCK_FLAG_SILENT;
+-	}
+-	else if (strcmp(name, "no_log_info") == 0) {
+-		opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO;
+-	}
+-	else if (strcmp(name, "local_users_only") == 0) {
+-		opts->flags |= FAILLOCK_FLAG_LOCAL_ONLY;
+-	}
+-	else if (strcmp(name, "nodelay") == 0) {
+-		opts->flags |= FAILLOCK_FLAG_NO_DELAY;
+-	}
+-	else {
+-		pam_syslog(pamh, LOG_ERR, "Unknown option: %s", name);
+-	}
+-}
+-
+ static int
+ check_local_user (pam_handle_t *pamh, const char *user)
+ {
+@@ -406,10 +187,11 @@ check_tally(pam_handle_t *pamh, struct o
+ 	unsigned int i;
+ 	uint64_t latest_time;
+ 	int failures;
++	const char *dir = get_tally_dir(opts);
+ 
+ 	opts->now = time(NULL);
+ 
+-	tfd = open_tally(opts->dir, opts->user, opts->uid, 0);
++	tfd = open_tally(dir, opts->user, opts->uid, 0);
+ 
+ 	*fd = tfd;
+ 
+@@ -483,9 +265,10 @@ static void
+ reset_tally(pam_handle_t *pamh, struct options *opts, int *fd)
+ {
+ 	int rv;
++	const char *dir = get_tally_dir(opts);
+ 
+ 	if (*fd == -1) {
+-		*fd = open_tally(opts->dir, opts->user, opts->uid, 1);
++		*fd = open_tally(dir, opts->user, opts->uid, 1);
+ 	}
+ 	else {
+ 		while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
+@@ -504,9 +287,10 @@ write_tally(pam_handle_t *pamh, struct o
+ 	unsigned int oldest;
+ 	uint64_t oldtime;
+ 	const void *source = NULL;
++	const char *dir = get_tally_dir(opts);
+ 
+ 	if (*fd == -1) {
+-		*fd = open_tally(opts->dir, opts->user, opts->uid, 1);
++		*fd = open_tally(dir, opts->user, opts->uid, 1);
+ 	}
+ 	if (*fd == -1) {
+ 		if (errno == EACCES) {
+diff --git a/modules/pam_faillock/faillock.h b/modules/pam_faillock/faillock.h
+index b22a9dfb..0ea0ffba 100644
+--- a/modules/pam_faillock/faillock.h
++++ b/modules/pam_faillock/faillock.h
+diff -up Linux-PAM-1.5.1/modules/pam_faillock/faillock.h.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/faillock.h
+--- Linux-PAM-1.5.1/modules/pam_faillock/faillock.h.faillock-load-conf-from-file	2020-11-25 17:57:02.000000000 +0100
++++ Linux-PAM-1.5.1/modules/pam_faillock/faillock.h	2022-05-25 15:33:03.885551825 +0200
+@@ -67,7 +67,6 @@ struct tally_data {
+ };
+ 
+ #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
+-#define FAILLOCK_DEFAULT_CONF "/etc/security/faillock.conf"
+ 
+ int open_tally(const char *dir, const char *user, uid_t uid, int create);
+ int read_tally(int fd, struct tally_data *tallies);

SOURCES/pam-1.5.1-pam-faillock-avoid-logging-erroneous.patch

@@ -0,0 +1,37 @@
+From 10086bc69663fa819277af244eeb5b629a2403b8 Mon Sep 17 00:00:00 2001
+From: Deepak Das <ddas@redhat.com>
+Date: Mon, 10 Oct 2022 21:21:35 +0530
+Subject: [PATCH] pam_faillock: avoid logging an erroneous consecutive login
+ failure message
+
+* modules/pam_faillock/pam_faillock.c (write_tally): Avoid logging
+a consecutive login failure message for the root user in case when
+even_deny_root is not set.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2082442
+---
+ modules/pam_faillock/pam_faillock.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
+index ddbb90e7..ca1c7035 100644
+--- a/modules/pam_faillock/pam_faillock.c
++++ b/modules/pam_faillock/pam_faillock.c
+@@ -374,9 +374,11 @@ write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
+ 		}
+ 		close(audit_fd);
+ #endif
+-		if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) {
+-			pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked",
+-				opts->user);
++		if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO) &&
++		    ((opts->flags & FAILLOCK_FLAG_DENY_ROOT) || (opts->uid != 0))) {
++			pam_syslog(pamh, LOG_INFO,
++				   "Consecutive login failures for user %s account temporarily locked",
++				   opts->user);
+ 		}
+ 	}
+ 
+-- 
+2.38.1
+

SOURCES/pam-1.5.1-pam-faillock-clarify-missing-user.patch

@@ -0,0 +1,53 @@
+From bcbf145ce925934214e48200c27c9ff736452549 Mon Sep 17 00:00:00 2001
+From: Deepak Das <ddas@redhat.com>
+Date: Mon, 10 Oct 2022 17:55:53 +0530
+Subject: [PATCH] pam_faillock: Clarify missing user faillock files after
+ reboot
+
+* modules/pam_faillock/faillock.conf.5.xml: Adding note related to missing
+user specific faillock files after reboot.
+
+* modules/pam_faillock/pam_faillock.8.xml: Adding note related to missing
+user specific faillock files after reboot.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2062512
+---
+ modules/pam_faillock/faillock.conf.5.xml | 4 ++++
+ modules/pam_faillock/pam_faillock.8.xml  | 6 ++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/modules/pam_faillock/faillock.conf.5.xml b/modules/pam_faillock/faillock.conf.5.xml
+index 04a84107..8faa5915 100644
+--- a/modules/pam_faillock/faillock.conf.5.xml
++++ b/modules/pam_faillock/faillock.conf.5.xml
+@@ -44,6 +44,10 @@
+                   The directory where the user files with the failure records are kept. The
+                   default is <filename>/var/run/faillock</filename>.
+                 </para>
++                <para>
++                  Note: These files will disappear after reboot on systems configured with
++                  directory <filename>/var/run/faillock</filename> mounted on virtual memory.
++                </para>
+               </listitem>
+             </varlistentry>
+             <varlistentry>
+diff --git a/modules/pam_faillock/pam_faillock.8.xml b/modules/pam_faillock/pam_faillock.8.xml
+index 79bcbbd0..b7b7b0db 100644
+--- a/modules/pam_faillock/pam_faillock.8.xml
++++ b/modules/pam_faillock/pam_faillock.8.xml
+@@ -327,6 +327,12 @@ session  required       pam_selinux.so open
+         <term><filename>/var/run/faillock/*</filename></term>
+         <listitem>
+           <para>the files logging the authentication failures for users</para>
++          <para>
++            Note: These files will disappear after reboot on systems configured with
++            directory <filename>/var/run/faillock</filename> mounted on virtual memory.
++            For persistent storage use the option <emphasis>dir=</emphasis> in
++            file <filename>/etc/security/faillock.conf</filename>.
++          </para>
+         </listitem>
+       </varlistentry>
+       <varlistentry>
+-- 
+2.38.1
+

SOURCES/pam-1.5.1-pam-keyinit-thread-safe.patch

@@ -0,0 +1,150 @@
+From a35e092e24ee7632346a0e1b4a203c04d4cd2c62 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Mon, 24 Jan 2022 15:43:23 +0100
+Subject: [PATCH] pam_keyinit: thread-safe implementation
+
+* modules/pam_keyinit/pam_keyinit.c: Bypass setre*id() C library calls
+with kernel calls and change global variables definitions to be
+thread-safe.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1997969
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+Co-Authored-By: Andreas Schneider <asn@samba.org>
+---
+ modules/pam_keyinit/pam_keyinit.c | 60 ++++++++++++++++++++++---------
+ 1 file changed, 44 insertions(+), 16 deletions(-)
+
+diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c
+index 92e4953b..df9804b9 100644
+--- a/modules/pam_keyinit/pam_keyinit.c
++++ b/modules/pam_keyinit/pam_keyinit.c
+@@ -21,6 +21,7 @@
+ #include <security/pam_modutil.h>
+ #include <security/pam_ext.h>
+ #include <sys/syscall.h>
++#include <stdatomic.h>
+ 
+ #define KEY_SPEC_SESSION_KEYRING	-3 /* ID for session keyring */
+ #define KEY_SPEC_USER_KEYRING		-4 /* ID for UID-specific keyring */
+@@ -31,12 +32,12 @@
+ #define KEYCTL_REVOKE			3 /* revoke a key */
+ #define KEYCTL_LINK			8 /* link a key into a keyring */
+ 
+-static int my_session_keyring = 0;
+-static int session_counter = 0;
+-static int do_revoke = 0;
+-static uid_t revoke_as_uid;
+-static gid_t revoke_as_gid;
+-static int xdebug = 0;
++static _Thread_local int my_session_keyring = 0;
++static _Atomic int session_counter = 0;
++static _Thread_local int do_revoke = 0;
++static _Thread_local uid_t revoke_as_uid;
++static _Thread_local gid_t revoke_as_gid;
++static _Thread_local int xdebug = 0;
+ 
+ static void debug(pam_handle_t *pamh, const char *fmt, ...)
+ 	__attribute__((format(printf, 2, 3)));
+@@ -64,6 +65,33 @@ static void error(pam_handle_t *pamh, const char *fmt, ...)
+ 	va_end(va);
+ }
+ 
++static int pam_setreuid(uid_t ruid, uid_t euid)
++{
++#if defined(SYS_setreuid32)
++    return syscall(SYS_setreuid32, ruid, euid);
++#else
++    return syscall(SYS_setreuid, ruid, euid);
++#endif
++}
++
++static int pam_setregid(gid_t rgid, gid_t egid)
++{
++#if defined(SYS_setregid32)
++    return syscall(SYS_setregid32, rgid, egid);
++#else
++    return syscall(SYS_setregid, rgid, egid);
++#endif
++}
++
++static int pam_setresuid(uid_t ruid, uid_t euid, uid_t suid)
++{
++#if defined(SYS_setresuid32)
++    return syscall(SYS_setresuid32, ruid, euid, suid);
++#else
++    return syscall(SYS_setresuid, ruid, euid, suid);
++#endif
++}
++
+ /*
+  * initialise the session keyring for this process
+  */
+@@ -140,14 +168,14 @@ static int kill_keyrings(pam_handle_t *pamh, int error_ret)
+ 
+ 		/* switch to the real UID and GID so that we have permission to
+ 		 * revoke the key */
+-		if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0) {
++		if (revoke_as_gid != old_gid && pam_setregid(-1, revoke_as_gid) < 0) {
+ 			error(pamh, "Unable to change GID to %d temporarily\n", revoke_as_gid);
+ 			return error_ret;
+ 		}
+ 
+-		if (revoke_as_uid != old_uid && setresuid(-1, revoke_as_uid, old_uid) < 0) {
++		if (revoke_as_uid != old_uid && pam_setresuid(-1, revoke_as_uid, old_uid) < 0) {
+ 			error(pamh, "Unable to change UID to %d temporarily\n", revoke_as_uid);
+-			if (getegid() != old_gid && setregid(-1, old_gid) < 0)
++			if (getegid() != old_gid && pam_setregid(-1, old_gid) < 0)
+ 				error(pamh, "Unable to change GID back to %d\n", old_gid);
+ 			return error_ret;
+ 		}
+@@ -157,12 +185,12 @@ static int kill_keyrings(pam_handle_t *pamh, int error_ret)
+ 		}
+ 
+ 		/* return to the original UID and GID (probably root) */
+-		if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0) {
++		if (revoke_as_uid != old_uid && pam_setreuid(-1, old_uid) < 0) {
+ 			error(pamh, "Unable to change UID back to %d\n", old_uid);
+ 			ret = error_ret;
+ 		}
+ 
+-		if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0) {
++		if (revoke_as_gid != old_gid && pam_setregid(-1, old_gid) < 0) {
+ 			error(pamh, "Unable to change GID back to %d\n", old_gid);
+ 			ret = error_ret;
+ 		}
+@@ -215,14 +243,14 @@ static int do_keyinit(pam_handle_t *pamh, int argc, const char **argv, int error
+ 
+ 	/* switch to the real UID and GID so that the keyring ends up owned by
+ 	 * the right user */
+-	if (gid != old_gid && setregid(gid, -1) < 0) {
++	if (gid != old_gid && pam_setregid(gid, -1) < 0) {
+ 		error(pamh, "Unable to change GID to %d temporarily\n", gid);
+ 		return error_ret;
+ 	}
+ 
+-	if (uid != old_uid && setreuid(uid, -1) < 0) {
++	if (uid != old_uid && pam_setreuid(uid, -1) < 0) {
+ 		error(pamh, "Unable to change UID to %d temporarily\n", uid);
+-		if (setregid(old_gid, -1) < 0)
++		if (pam_setregid(old_gid, -1) < 0)
+ 			error(pamh, "Unable to change GID back to %d\n", old_gid);
+ 		return error_ret;
+ 	}
+@@ -230,12 +258,12 @@ static int do_keyinit(pam_handle_t *pamh, int argc, const char **argv, int error
+ 	ret = init_keyrings(pamh, force, error_ret);
+ 
+ 	/* return to the original UID and GID (probably root) */
+-	if (uid != old_uid && setreuid(old_uid, -1) < 0) {
++	if (uid != old_uid && pam_setreuid(old_uid, -1) < 0) {
+ 		error(pamh, "Unable to change UID back to %d\n", old_uid);
+ 		ret = error_ret;
+ 	}
+ 
+-	if (gid != old_gid && setregid(old_gid, -1) < 0) {
++	if (gid != old_gid && pam_setregid(old_gid, -1) < 0) {
+ 		error(pamh, "Unable to change GID back to %d\n", old_gid);
+ 		ret = error_ret;
+ 	}
+-- 
+2.35.1
+

SOURCES/pam-1.5.1-pam-lastlog-check-localtime_r-return-value.patch

@@ -0,0 +1,41 @@
+From 40c271164dbcebfc5304d0537a42fb42e6b6803c Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Mon, 26 Sep 2022 12:16:53 +0200
+Subject: [PATCH] pam_lastlog: check localtime_r() return value
+
+Check the return value of localtime_r() before calling strftime(). This
+function crashes if the argument is NULL.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012871
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ modules/pam_lastlog/pam_lastlog.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
+index abd048df..121e7560 100644
+--- a/modules/pam_lastlog/pam_lastlog.c
++++ b/modules/pam_lastlog/pam_lastlog.c
+@@ -573,12 +573,12 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt
+ 	    time_t lf_time;
+ 
+ 	    lf_time = utuser.ut_tv.tv_sec;
+-	    tm = localtime_r (&lf_time, &tm_buf);
+-	    strftime (the_time, sizeof (the_time),
+-	        /* TRANSLATORS: "strftime options for date of last login" */
+-		_(" %a %b %e %H:%M:%S %Z %Y"), tm);
+-
+-	    date = the_time;
++	    if ((tm = localtime_r (&lf_time, &tm_buf)) != NULL) {
++	        strftime (the_time, sizeof (the_time),
++	            /* TRANSLATORS: "strftime options for date of last login" */
++	                  _(" %a %b %e %H:%M:%S %Z %Y"), tm);
++	        date = the_time;
++	    }
+ 	}
+ 
+ 	/* we want & have the host? */
+-- 
+2.38.1
+

SOURCES/pam-1.5.1-pam-limits-unlimited-value.patch

@@ -0,0 +1,99 @@
+From 3234488f2c52a021eec87df1990d256314c21bff Mon Sep 17 00:00:00 2001
+From: Josef Moellers <jmoellers@suse.de>
+Date: Wed, 14 Apr 2021 16:39:28 +0200
+Subject: [PATCH] pam_limits: "Unlimited" is not a valid value for
+ RLIMIT_NOFILE.
+
+Replace it with a value obtained from /proc/sys/fs/nr_open
+
+* modules/pam_limits/limits.conf.5.xml: Document the replacement.
+* modules/pam_limits/pam_limits.c: Replace unlimited RLIMIT_NOFILE
+  value with a value obtained from /proc/sys/fs/nr_open
+---
+ modules/pam_limits/limits.conf.5.xml |  2 ++
+ modules/pam_limits/pam_limits.c      | 49 ++++++++++++++++++++++++++++
+ 2 files changed, 51 insertions(+)
+
+diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml
+index cd64ac90..c5bd6768 100644
+--- a/modules/pam_limits/limits.conf.5.xml
++++ b/modules/pam_limits/limits.conf.5.xml
+@@ -283,6 +283,8 @@
+       <emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit,
+       except for <emphasis remap='B'>priority</emphasis>, <emphasis remap='B'>nice</emphasis>,
+       and <emphasis remap='B'>nonewprivs</emphasis>.
++      If <emphasis remap='B'>nofile</emphasis> is to be set to one of these values,
++      it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)).
+     </para>
+     <para>
+       If a hard limit or soft limit of a resource is set to a valid value,
+diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
+index 10049973..7cc45d77 100644
+--- a/modules/pam_limits/pam_limits.c
++++ b/modules/pam_limits/pam_limits.c
+@@ -487,6 +487,41 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
+     return retval;
+ }
+ 
++/*
++ * Read the contents of <pathname> and return it in *valuep
++ * return 1 if conversion succeeds, result is in *valuep
++ * return 0 if conversion fails, *valuep is untouched.
++ */
++static int
++value_from_file(const char *pathname, rlim_t *valuep)
++{
++    char buf[128];
++    FILE *fp;
++    int retval;
++
++    retval = 0;
++
++    if ((fp = fopen(pathname, "r")) != NULL) {
++	if (fgets(buf, sizeof(buf), fp) != NULL) {
++	    char *endptr;
++	    unsigned long long value;
++
++	    errno = 0;
++	    value = strtoull(buf, &endptr, 10);
++	    if (endptr != buf &&
++		(value != ULLONG_MAX || errno == 0) &&
++                (unsigned long long) (rlim_t) value == value) {
++		*valuep = (rlim_t) value;
++		retval = 1;
++	    }
++	}
++
++	fclose(fp);
++    }
++
++    return retval;
++}
++
+ static void
+ process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
+ 	       const char *lim_item, const char *lim_value,
+@@ -666,6 +701,20 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
+ 	 rlimit_value = 20 - int_value;
+          break;
+ #endif
++	case RLIMIT_NOFILE:
++	/*
++	 * If nofile is to be set to "unlimited", try to set it to
++	 * the value in /proc/sys/fs/nr_open instead.
++	 */
++	if (rlimit_value == RLIM_INFINITY) {
++	    if (!value_from_file("/proc/sys/fs/nr_open", &rlimit_value))
++		pam_syslog(pamh, LOG_WARNING,
++			   "Cannot set \"nofile\" to a sensible value");
++	    else if (ctrl & PAM_DEBUG_ARG)
++		pam_syslog(pamh, LOG_DEBUG, "Setting \"nofile\" limit to %llu",
++			   (unsigned long long) rlimit_value);
++	}
++	break;
+     }
+ 
+     if ( (limit_item != LIMIT_LOGIN)
+-- 
+2.33.1
+

SOURCES/pam-1.5.1-pam-pwhistory-load-conf-from-file.patch

@@ -0,0 +1,489 @@
+diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/Makefile.am.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/Makefile.am
+--- Linux-PAM-1.5.1/modules/pam_pwhistory/Makefile.am.pam-pwhistory-load-conf-from-file	2020-11-25 17:57:02.000000000 +0100
++++ Linux-PAM-1.5.1/modules/pam_pwhistory/Makefile.am	2022-08-22 09:08:48.916487811 +0200
+@@ -9,9 +9,10 @@ MAINTAINERCLEANFILES = $(MANS) README
+ EXTRA_DIST = $(XMLS)
+ 
+ if HAVE_DOC
+-dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8
++dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 pwhistory.conf.5
+ endif
+-XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml
++XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml \
++  pwhistory.conf.5.xml
+ dist_check_SCRIPTS = tst-pam_pwhistory
+ TESTS = $(dist_check_SCRIPTS)
+ 
+@@ -26,12 +27,14 @@ if HAVE_VERSIONING
+   pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+ endif
+ 
+-noinst_HEADERS = opasswd.h
++noinst_HEADERS = opasswd.h pwhistory_config.h
++
++dist_secureconf_DATA = pwhistory.conf
+ 
+ securelib_LTLIBRARIES = pam_pwhistory.la
+ pam_pwhistory_la_CFLAGS = $(AM_CFLAGS)
+ pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@
+-pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
++pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c pwhistory_config.c
+ 
+ sbin_PROGRAMS = pwhistory_helper
+ pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @EXE_CFLAGS@
+diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.8.xml.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.8.xml
+--- Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.8.xml.pam-pwhistory-load-conf-from-file	2020-11-25 17:57:02.000000000 +0100
++++ Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.8.xml	2022-08-22 09:13:08.715628372 +0200
+@@ -36,6 +36,9 @@
+       <arg choice="opt">
+         authtok_type=<replaceable>STRING</replaceable>
+       </arg>
++      <arg choice="opt">
++	      conf=<replaceable>/path/to/config-file</replaceable>
++      </arg>
+ 
+     </cmdsynopsis>
+   </refsynopsisdiv>
+@@ -104,7 +107,7 @@
+         <listitem>
+           <para>
+             The last <replaceable>N</replaceable> passwords for each
+-            user are saved in <filename>/etc/security/opasswd</filename>.
++            user are saved.
+             The default is <emphasis>10</emphasis>. Value of
+             <emphasis>0</emphasis> makes the module to keep the existing
+             contents of the <filename>opasswd</filename> file unchanged.
+@@ -137,7 +140,26 @@
+           </listitem>
+         </varlistentry>
+ 
++        <varlistentry>
++          <term>
++            <option>conf=<replaceable>/path/to/config-file</replaceable></option>
++          </term>
++          <listitem>
++            <para>
++              Use another configuration file instead of the default
++              <filename>/etc/security/pwhistory.conf</filename>.
++            </para>
++          </listitem>
++        </varlistentry>
++
+     </variablelist>
++    <para>
++      The options for configuring the module behavior are described in the
++      <citerefentry><refentrytitle>pwhistory.conf</refentrytitle>
++      <manvolnum>5</manvolnum></citerefentry> manual page. The options
++      specified on the module command line override the values from the
++      configuration file.
++    </para>
+   </refsect1>
+ 
+   <refsect1 id="pam_pwhistory-types">
+@@ -223,6 +245,9 @@ password     required       pam_unix.so
+     <title>SEE ALSO</title>
+     <para>
+       <citerefentry>
++	<refentrytitle>pwhistory.conf</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
++      <citerefentry>
+ 	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+       </citerefentry>,
+       <citerefentry>
+diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.c.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.c
+--- Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.c.pam-pwhistory-load-conf-from-file	2020-11-25 17:57:02.000000000 +0100
++++ Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.c	2022-08-22 09:11:34.949855242 +0200
+@@ -63,14 +63,8 @@
+ 
+ #include "opasswd.h"
+ #include "pam_inline.h"
++#include "pwhistory_config.h"
+ 
+-struct options_t {
+-  int debug;
+-  int enforce_for_root;
+-  int remember;
+-  int tries;
+-};
+-typedef struct options_t options_t;
+ 
+ 
+ static void
+@@ -299,6 +293,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
+   options.remember = 10;
+   options.tries = 1;
+ 
++  parse_config_file(pamh, argc, argv, &options);
++
+   /* Parse parameters for module */
+   for ( ; argc-- > 0; argv++)
+     parse_option (pamh, *argv, &options);
+@@ -306,7 +302,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
+   if (options.debug)
+     pam_syslog (pamh, LOG_DEBUG, "pam_sm_chauthtok entered");
+ 
+-
+   if (options.remember == 0)
+     return PAM_IGNORE;
+ 
+diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.5.xml.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.5.xml
+--- Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.5.xml.pam-pwhistory-load-conf-from-file	2022-08-22 09:08:48.916487811 +0200
++++ Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.5.xml	2022-08-22 09:08:48.916487811 +0200
+@@ -0,0 +1,155 @@
++<?xml version="1.0" encoding='UTF-8'?>
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
++	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
++
++<refentry id="pwhistory.conf">
++
++  <refmeta>
++    <refentrytitle>pwhistory.conf</refentrytitle>
++    <manvolnum>5</manvolnum>
++    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
++  </refmeta>
++
++  <refnamediv id="pwhistory.conf-name">
++    <refname>pwhistory.conf</refname>
++    <refpurpose>pam_pwhistory configuration file</refpurpose>
++  </refnamediv>
++
++  <refsect1 id="pwhistory.conf-description">
++
++    <title>DESCRIPTION</title>
++    <para>
++       <emphasis remap='B'>pwhistory.conf</emphasis> provides a way to configure the
++       default settings for saving the last passwords for each user.
++       This file is read by the <emphasis>pam_pwhistory</emphasis> module and is the
++       preferred method over configuring <emphasis>pam_pwhistory</emphasis> directly.
++    </para>
++    <para>
++       The file has a very simple <emphasis>name = value</emphasis> format with possible comments
++       starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end
++       of line, and around the <emphasis>=</emphasis> sign is ignored.
++    </para>
++  </refsect1>
++
++  <refsect1 id="pwhistory.conf-options">
++
++    <title>OPTIONS</title>
++         <variablelist>
++            <varlistentry>
++              <term>
++                <option>debug</option>
++              </term>
++              <listitem>
++                <para>
++                  Turns on debugging via
++                  <citerefentry>
++                    <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
++                  </citerefentry>.
++                </para>
++              </listitem>
++            </varlistentry>
++            <varlistentry>
++              <term>
++                <option>enforce_for_root</option>
++              </term>
++              <listitem>
++                <para>
++                  If this option is set, the check is enforced for root, too.
++                </para>
++              </listitem>
++            </varlistentry>
++            <varlistentry>
++              <term>
++                <option>remember=<replaceable>N</replaceable></option>
++              </term>
++              <listitem>
++                <para>
++                  The last <replaceable>N</replaceable> passwords for each
++                  user are saved.
++                  The default is <emphasis>10</emphasis>. Value of
++                  <emphasis>0</emphasis> makes the module to keep the existing
++                  contents of the <filename>opasswd</filename> file unchanged.
++                </para>
++              </listitem>
++            </varlistentry>
++            <varlistentry>
++              <term>
++                <option>retry=<replaceable>N</replaceable></option>
++              </term>
++              <listitem>
++                <para>
++                  Prompt user at most <replaceable>N</replaceable> times
++                  before returning with error. The default is 1.
++                </para>
++              </listitem>
++            </varlistentry>
++            <varlistentry>
++              <term>
++                <option>file=<replaceable>/path/filename</replaceable></option>
++              </term>
++              <listitem>
++                <para>
++                  Store password history in file
++                  <replaceable>/path/filename</replaceable> rather than the default
++                  location. The default location is
++	                <filename>/etc/security/opasswd</filename>.
++                </para>
++              </listitem>
++            </varlistentry>
++        </variablelist>
++  </refsect1>
++
++  <refsect1 id='pwhistory.conf-examples'>
++    <title>EXAMPLES</title>
++    <para>
++      /etc/security/pwhistory.conf file example:
++    </para>
++    <programlisting>
++debug
++remember=5
++file=/tmp/opasswd
++    </programlisting>
++  </refsect1>
++
++  <refsect1 id="pwhistory.conf-files">
++    <title>FILES</title>
++    <variablelist>
++      <varlistentry>
++        <term><filename>/etc/security/pwhistory.conf</filename></term>
++        <listitem>
++          <para>the config file for custom options</para>
++        </listitem>
++      </varlistentry>
++    </variablelist>
++  </refsect1>
++
++  <refsect1 id='pwhistory.conf-see_also'>
++    <title>SEE ALSO</title>
++    <para>
++      <citerefentry>
++        <refentrytitle>pwhistory</refentrytitle><manvolnum>8</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++        <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++        <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++        <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++      </citerefentry>
++    </para>
++  </refsect1>
++
++  <refsect1 id='pwhistory.conf-author'>
++    <title>AUTHOR</title>
++      <para>
++        pam_pwhistory was written by Thorsten Kukuk. The support for
++        pwhistory.conf was written by Iker Pedrosa.
++      </para>
++  </refsect1>
++
++</refentry>
+diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.c.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.c
+--- Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.c.pam-pwhistory-load-conf-from-file	2022-08-22 09:08:48.916487811 +0200
++++ Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.c	2022-08-22 09:08:48.916487811 +0200
+@@ -0,0 +1,115 @@
++/*
++ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, and the entire permission notice in its entirety,
++ *    including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ *    products derived from this software without specific prior
++ *    written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions.  (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "config.h"
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <syslog.h>
++
++#include <security/pam_modutil.h>
++
++#include "pam_inline.h"
++#include "pwhistory_config.h"
++
++#define PWHISTORY_DEFAULT_CONF "/etc/security/pwhistory.conf"
++
++void
++parse_config_file(pam_handle_t *pamh, int argc, const char **argv,
++                  struct options_t *options)
++{
++    const char *fname = NULL;
++    int i;
++    char *val;
++
++    for (i = 0; i < argc; ++i) {
++        const char *str = pam_str_skip_prefix(argv[i], "conf=");
++
++        if (str != NULL) {
++            fname = str;
++        }
++    }
++
++    if (fname == NULL) {
++        fname = PWHISTORY_DEFAULT_CONF;
++    }
++
++    val = pam_modutil_search_key (pamh, fname, "debug");
++    if (val != NULL) {
++        options->debug = 1;
++        free(val);
++    }
++
++    val = pam_modutil_search_key (pamh, fname, "enforce_for_root");
++    if (val != NULL) {
++        options->enforce_for_root = 1;
++        free(val);
++    }
++
++    val = pam_modutil_search_key (pamh, fname, "remember");
++    if (val != NULL) {
++        unsigned int temp;
++        if (sscanf(val, "%u", &temp) != 1) {
++            pam_syslog(pamh, LOG_ERR,
++                "Bad number supplied for remember argument");
++        } else {
++            options->remember = temp;
++        }
++        free(val);
++    }
++
++    val = pam_modutil_search_key (pamh, fname, "retry");
++    if (val != NULL) {
++        unsigned int temp;
++        if (sscanf(val, "%u", &temp) != 1) {
++            pam_syslog(pamh, LOG_ERR,
++                "Bad number supplied for retry argument");
++        } else {
++            options->tries = temp;
++        }
++        free(val);
++    }
++
++    val = pam_modutil_search_key (pamh, fname, "file");
++    if (val != NULL) {
++        if (*val != '/') {
++            pam_syslog (pamh, LOG_ERR,
++                "File path should be absolute: %s", val);
++        } else {
++            options->filename = val;
++        }
++    }
++}
+diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.h.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.h
+--- Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.h.pam-pwhistory-load-conf-from-file	2022-08-22 09:08:48.916487811 +0200
++++ Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.h	2022-08-22 09:08:48.916487811 +0200
+@@ -0,0 +1,54 @@
++/*
++ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, and the entire permission notice in its entirety,
++ *    including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ *    products derived from this software without specific prior
++ *    written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions.  (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#ifndef _PWHISTORY_CONFIG_H
++#define _PWHISTORY_CONFIG_H
++
++#include <security/pam_ext.h>
++
++struct options_t {
++    int debug;
++    int enforce_for_root;
++    int remember;
++    int tries;
++    const char *filename;
++};
++typedef struct options_t options_t;
++
++void
++parse_config_file(pam_handle_t *pamh, int argc, const char **argv,
++                  struct options_t *options);
++
++#endif /* _PWHISTORY_CONFIG_H */
+diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf
+--- Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.pam-pwhistory-load-conf-from-file	2022-08-22 09:08:48.916487811 +0200
++++ Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf	2022-08-22 09:08:48.916487811 +0200
+@@ -0,0 +1,21 @@
++# Configuration for remembering the last passwords used by a user.
++#
++# Enable the debugging logs.
++# Enabled if option is present.
++# debug
++#
++# root account's passwords are also remembered.
++# Enabled if option is present.
++# enforce_for_root
++#
++# Number of passwords to remember.
++# The default is 10.
++# remember = 10
++#
++# Number of times to prompt for the password.
++# The default is 1.
++# retry = 1
++#
++# The directory where the last passwords are kept.
++# The default is /etc/security/opasswd.
++# file = /etc/security/opasswd

SOURCES/pam-1.5.1-pam-usertype-SYS_UID_MAX.patch

@@ -0,0 +1,100 @@
+From 370064ef6f99581b08d473a42bb3417d5dda3e4e Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Thu, 17 Feb 2022 10:24:03 +0100
+Subject: [PATCH] pam_usertype: only use SYS_UID_MAX for system users
+
+* modules/pam_usertype/pam_usertype.c (pam_usertype_is_system): Stop
+using SYS_UID_MIN to check if it is a system account, because all
+accounts below the SYS_UID_MAX are system users.
+* modules/pam_usertype/pam_usertype.8.xml: Remove reference to SYS_UID_MIN
+as it is no longer used to calculate the system accounts.
+* configure.ac: Remove PAM_USERTYPE_SYSUIDMIN.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1949137
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ configure.ac                            |  5 -----
+ modules/pam_usertype/pam_usertype.8.xml |  2 +-
+ modules/pam_usertype/pam_usertype.c     | 15 ++++++---------
+ 3 files changed, 7 insertions(+), 15 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 639fc1ad..79113ad1 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -632,11 +632,6 @@ test -n "$opt_uidmin" ||
+           opt_uidmin=1000
+ AC_DEFINE_UNQUOTED(PAM_USERTYPE_UIDMIN, $opt_uidmin, [Minimum regular user uid.])
+ 
+-AC_ARG_WITH([sysuidmin], AS_HELP_STRING([--with-sysuidmin=<number>],[default value for system user min uid (101)]), opt_sysuidmin=$withval)
+-test -n "$opt_sysuidmin" ||
+-          opt_sysuidmin=101
+-AC_DEFINE_UNQUOTED(PAM_USERTYPE_SYSUIDMIN, $opt_sysuidmin, [Minimum system user uid.])
+-
+ AC_ARG_WITH([kernel-overflow-uid], AS_HELP_STRING([--with-kernel-overflow-uid=<number>],[kernel overflow uid, default (uint16_t)-2=65534]), opt_kerneloverflowuid=$withval)
+ test -n "$opt_kerneloverflowuid" ||
+           opt_kerneloverflowuid=65534
+diff --git a/modules/pam_usertype/pam_usertype.8.xml b/modules/pam_usertype/pam_usertype.8.xml
+index 7651da6e..d9307ba3 100644
+--- a/modules/pam_usertype/pam_usertype.8.xml
++++ b/modules/pam_usertype/pam_usertype.8.xml
+@@ -31,7 +31,7 @@
+       pam_usertype.so is designed to succeed or fail authentication
+       based on type of the account of the authenticated user.
+       The type of the account is decided with help of
+-      <emphasis>SYS_UID_MIN</emphasis> and <emphasis>SYS_UID_MAX</emphasis>
++      <emphasis>SYS_UID_MAX</emphasis>
+       settings in <emphasis>/etc/login.defs</emphasis>. One use is to select
+       whether to load other modules based on this test.
+     </para>
+diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c
+index d03b73b5..cfd9c8bb 100644
+--- a/modules/pam_usertype/pam_usertype.c
++++ b/modules/pam_usertype/pam_usertype.c
+@@ -194,7 +194,6 @@ static int
+ pam_usertype_is_system(pam_handle_t *pamh, uid_t uid)
+ {
+     uid_t uid_min;
+-    uid_t sys_min;
+     uid_t sys_max;
+ 
+     if (uid == (uid_t)-1) {
+@@ -202,21 +201,19 @@ pam_usertype_is_system(pam_handle_t *pamh, uid_t uid)
+         return PAM_USER_UNKNOWN;
+     }
+ 
+-    if (uid <= 99) {
+-        /* Reserved. */
+-        return PAM_SUCCESS;
+-    }
+-
+     if (uid == PAM_USERTYPE_OVERFLOW_UID) {
+         /* nobody */
+         return PAM_SUCCESS;
+     }
+ 
+     uid_min = pam_usertype_get_id(pamh, "UID_MIN", PAM_USERTYPE_UIDMIN);
+-    sys_min = pam_usertype_get_id(pamh, "SYS_UID_MIN", PAM_USERTYPE_SYSUIDMIN);
+     sys_max = pam_usertype_get_id(pamh, "SYS_UID_MAX", uid_min - 1);
+ 
+-    return uid >= sys_min && uid <= sys_max ? PAM_SUCCESS : PAM_AUTH_ERR;
++    if (uid <= sys_max && uid < uid_min) {
++        return PAM_SUCCESS;
++    }
++
++    return PAM_AUTH_ERR;
+ }
+ 
+ static int
+@@ -253,7 +250,7 @@ pam_usertype_evaluate(struct pam_usertype_opts *opts,
+ 
+ /**
+  * Arguments:
+- * - issystem: uid in <SYS_UID_MIN, SYS_UID_MAX>
++ * - issystem: uid less than SYS_UID_MAX
+  * - isregular: not issystem
+  * - use_uid: use user that runs application not that is being authenticate (same as in pam_succeed_if)
+  * - audit: log unknown users to syslog
+-- 
+2.36.1
+

SOURCES/pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch

@@ -0,0 +1,42 @@
+From ec0e724fe53188c5c762c34ca9db6681c0de01b8 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Thu, 1 Jul 2021 12:14:29 +0200
+Subject: [PATCH] pam_filter: Close file after controlling tty
+
+Failing to check the descriptor value meant that there was a bug in the
+attempt to close the controlling tty. Moreover, this would lead to a
+file descriptor leak as pointed out by the static analyzer tool:
+
+Error: RESOURCE_LEAK (CWE-772): [#def26]
+Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
+Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: var_assign: Assigning: "t" = handle returned from "open("/dev/tty", 2)".
+Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: off_by_one: Testing whether handle "t" is strictly greater than zero is suspicious.  "t" leaks when it is zero.
+Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: remediation: Did you intend to include equality with zero?
+Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:367: leaked_handle: Handle variable "t" going out of scope leaks the handle.
+  365|   		pam_syslog(pamh, LOG_ERR,
+  366|   			   "child cannot become new session: %m");
+  367|-> 		return PAM_ABORT;
+  368|   	    }
+  369|
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ modules/pam_filter/pam_filter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c
+index 2f0af4fb..6e6def37 100644
+--- a/modules/pam_filter/pam_filter.c
++++ b/modules/pam_filter/pam_filter.c
+@@ -354,7 +354,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl,
+ 	    int t = open("/dev/tty", O_RDWR|O_NOCTTY);
+ #else
+ 	    int t = open("/dev/tty",O_RDWR);
+-	    if (t > 0) {
++	    if (t >= 0) {
+ 		(void) ioctl(t, TIOCNOTTY, NULL);
+ 		close(t);
+ 	    }
+-- 
+2.31.1
+

SOURCES/pam-1.5.1-timestamp-openssl-hmac-authentication.patch

@@ -0,0 +1,738 @@
+From b3bb13e18a74e9ece825b7de1b81db97ebb107a0 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Thu, 25 Mar 2021 09:43:30 +0100
+Subject: [PATCH] pam_timestamp: replace hmac implementation
+
+sha1 is no longer recommended as a cryptographic algorithm for
+authentication. Thus, the idea of this change is to replace the
+implementation provided by hmacsha1 included in pam_timestamp module by
+the one in the openssl library. This way, there's no need to maintain
+the cryptographic algorithm implementation and it can be easily changed
+with a single configuration change.
+
+modules/pam_timestamp/hmac_openssl_wrapper.c: implement wrapper
+functions around openssl's hmac implementation. Moreover, manage the key
+generation and its read and write in a file. Include an option to
+configure the cryptographic algorithm in login.defs file.
+modules/pam_timestamp/hmac_openssl_wrapper.h: likewise.
+modules/pam_timestamp/pam_timestamp.c: replace calls to functions
+provided by hmacsha1 by functions provided by openssl's wrapper.
+configure.ac: include openssl dependecy if it is enabled.
+modules/pam_timestamp/Makefile.am: include new files and openssl library
+to compilation.
+ci/install-dependencies.sh: include openssl library to dependencies.
+NEWS: add new item to next release.
+Make.xml.rules.in: add stringparam profiling for hmac
+doc/custom-man.xsl: change import docbook to one with profiling
+modules/pam_timestamp/pam_timestamp.8.xml: add conditional paragraph to
+indicate the value in /etc/login.defs that holds the value for the
+encryption algorithm
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294
+---
+ Make.xml.rules.in                            |   2 +-
+ NEWS                                         |   5 +
+ configure.ac                                 |  16 +
+ doc/custom-man.xsl                           |   2 +-
+ modules/pam_timestamp/Makefile.am            |  15 +-
+ modules/pam_timestamp/hmac_openssl_wrapper.c | 381 +++++++++++++++++++
+ modules/pam_timestamp/hmac_openssl_wrapper.h |  57 +++
+ modules/pam_timestamp/pam_timestamp.8.xml    |   5 +
+ modules/pam_timestamp/pam_timestamp.c        |  53 ++-
+ 10 files changed, 524 insertions(+), 13 deletions(-)
+ create mode 100644 modules/pam_timestamp/hmac_openssl_wrapper.c
+ create mode 100644 modules/pam_timestamp/hmac_openssl_wrapper.h
+
+diff --git a/Make.xml.rules.in b/Make.xml.rules.in
+index daa1b97b..27bb510e 100644
+--- a/Make.xml.rules.in
++++ b/Make.xml.rules.in
+@@ -21,6 +21,6 @@ README: README.xml
+ 
+ %.8: %.8.xml
+ 	$(XMLLINT) --nonet --xinclude --postvalid --noout $<
+-	$(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude @STRINGPARAM_VENDORDIR@ --nonet $(top_srcdir)/doc/custom-man.xsl $<
++	$(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude @STRINGPARAM_VENDORDIR@ @STRINGPARAM_HMAC@ --nonet $(top_srcdir)/doc/custom-man.xsl $<
+ 
+ #CLEANFILES += $(man_MANS) README
+diff --git a/NEWS b/NEWS
+index 2d49ec39..f4d11303 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,10 @@
+ Linux-PAM NEWS -- history of user-visible changes.
+ 
++Release next
++* pam_timestamp: change hmac algorithm to call openssl instead of the bundled
++                 sha1 implementation if selected. Add option to select the hash
++                 algorithm to use with HMAC.
++
+ Release 1.5.1
+ * pam_unix: fixed CVE-2020-27780 - authentication bypass when a user
+             doesn't exist and root password is blank
+diff --git a/configure.ac b/configure.ac
+index bd806473..9c92d0de 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -504,6 +504,22 @@ else
+ fi
+ AC_SUBST([STRINGPARAM_VENDORDIR])
+ 
++AC_ARG_ENABLE([openssl],
++  AS_HELP_STRING([--enable-openssl],[use OpenSSL crypto libraries]),
++  [OPENSSL_ENABLED=$enableval], OPENSSL_ENABLED=no)
++if test "$OPENSSL_ENABLED" = "yes" ; then
++  AC_CHECK_LIB([crypto], [EVP_MAC_CTX_new],
++  [CRYPTO_LIBS="-lcrypto"
++   use_openssl=yes
++   AC_DEFINE([WITH_OPENSSL], 1, [OpenSSL provides crypto algorithm for hmac])
++   STRINGPARAM_HMAC="--stringparam profile.condition 'openssl_hmac'"],
++  [CRYPTO_LIBS=""
++   STRINGPARAM_HMAC="--stringparam profile.condition 'no_openssl_hmac'"])
++fi
++AC_SUBST([CRYPTO_LIBS])
++AC_SUBST([STRINGPARAM_HMAC])
++AM_CONDITIONAL([COND_USE_OPENSSL], [test "x$use_openssl" = "xyes"])
++
+ dnl Checks for header files.
+ AC_HEADER_DIRENT
+ AC_HEADER_STDC
+diff --git a/doc/custom-man.xsl b/doc/custom-man.xsl
+index 4c35e839..a3408e6c 100644
+--- a/doc/custom-man.xsl
++++ b/doc/custom-man.xsl
+@@ -1,6 +1,6 @@
+ <?xml version='1.0'?>
+ <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ss="http://docbook.sf.net/xmlns/string.subst/1.0" version="1.0">
+-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"/>
++  <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/manpages/profile-docbook.xsl"/>
+   <xsl:param name="vendordir"/>
+ 
+   <xsl:param name="man.string.subst.map.local.pre">
+diff --git a/modules/pam_timestamp/Makefile.am b/modules/pam_timestamp/Makefile.am
+index 1faa324a..d290b85f 100644
+--- a/modules/pam_timestamp/Makefile.am
++++ b/modules/pam_timestamp/Makefile.am
+@@ -18,12 +18,12 @@ TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS)
+ securelibdir = $(SECUREDIR)
+ secureconfdir = $(SCONFIGDIR)
+ 
+-noinst_HEADERS = hmacsha1.h sha1.h
++noinst_HEADERS = hmacsha1.h sha1.h hmac_openssl_wrapper.h
+ 
+ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+ 	$(WARN_CFLAGS)
+ 
+-pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module $(AM_LDFLAGS)
++pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module $(AM_LDFLAGS) $(CRYPTO_LIBS)
+ pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la
+ if HAVE_VERSIONING
+   pam_timestamp_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+@@ -32,7 +32,12 @@ endif
+ securelib_LTLIBRARIES = pam_timestamp.la
+ sbin_PROGRAMS = pam_timestamp_check
+ 
+-pam_timestamp_la_SOURCES = pam_timestamp.c hmacsha1.c sha1.c
++pam_timestamp_la_SOURCES = pam_timestamp.c
++if COND_USE_OPENSSL
++pam_timestamp_la_SOURCES += hmac_openssl_wrapper.c
++else
++pam_timestamp_la_SOURCES += hmacsha1.c sha1.c
++endif
+ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
+ 
+ pam_timestamp_check_SOURCES = pam_timestamp_check.c
+@@ -40,7 +45,11 @@ pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@
+ pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
+ pam_timestamp_check_LDFLAGS = @EXE_LDFLAGS@
+ 
++if COND_USE_OPENSSL
++hmacfile_SOURCES = hmac_openssl_wrapper.c
++else
+ hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
++endif
+ hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
+ 
+ check_PROGRAMS = hmacfile
+diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.c b/modules/pam_timestamp/hmac_openssl_wrapper.c
+new file mode 100644
+index 00000000..926c2fb9
+--- /dev/null
++++ b/modules/pam_timestamp/hmac_openssl_wrapper.c
+@@ -0,0 +1,381 @@
++/* Wrapper for hmac openssl implementation.
++ *
++ * Copyright (c) 2021 Red Hat, Inc.
++ * Written by Iker Pedrosa <ipedrosa@redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, and the entire permission notice in its entirety,
++ *    including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ *    products derived from this software without specific prior
++ *    written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions.  (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include "config.h"
++
++#ifdef WITH_OPENSSL
++
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <syslog.h>
++#include <unistd.h>
++#include <string.h>
++#include <errno.h>
++#include <openssl/evp.h>
++#include <openssl/params.h>
++#include <openssl/core_names.h>
++
++#include <security/pam_ext.h>
++#include <security/pam_modutil.h>
++
++#include "hmac_openssl_wrapper.h"
++
++#define LOGIN_DEFS          "/etc/login.defs"
++#define CRYPTO_KEY          "HMAC_CRYPTO_ALGO"
++#define DEFAULT_ALGORITHM   "SHA512"
++#define MAX_HMAC_LENGTH     512
++#define MAX_KEY_LENGTH      EVP_MAX_KEY_LENGTH
++
++static char *
++get_crypto_algorithm(pam_handle_t *pamh, int debug){
++    char *config_value = NULL;
++
++    config_value = pam_modutil_search_key(pamh, LOGIN_DEFS, CRYPTO_KEY);
++
++    if (config_value == NULL) {
++        config_value = strdup(DEFAULT_ALGORITHM);
++        if (debug) {
++            pam_syslog(pamh, LOG_DEBUG,
++                   "Key [%s] not found, falling back to default algorithm [%s]\n",
++                   CRYPTO_KEY, DEFAULT_ALGORITHM);
++        }
++    }
++
++    return config_value;
++}
++
++static int
++generate_key(pam_handle_t *pamh, char **key, size_t key_size)
++{
++    int fd = 0;
++    size_t bytes_read = 0;
++    char * tmp = NULL;
++
++    fd = open("/dev/urandom", O_RDONLY);
++    if (fd == -1) {
++        pam_syslog(pamh, LOG_ERR, "Cannot open /dev/urandom: %m");
++        return PAM_AUTH_ERR;
++    }
++
++    tmp = malloc(key_size);
++    if (!tmp) {
++        pam_syslog(pamh, LOG_CRIT, "Not enough memory");
++        close(fd);
++        return PAM_AUTH_ERR;
++    }
++
++    bytes_read = pam_modutil_read(fd, tmp, key_size);
++    close(fd);
++
++    if (bytes_read < key_size) {
++        pam_syslog(pamh, LOG_ERR, "Short read on random device");
++        free(tmp);
++        return PAM_AUTH_ERR;
++    }
++
++    *key = tmp;
++
++    return PAM_SUCCESS;
++}
++
++static int
++read_file(pam_handle_t *pamh, int fd, char **text, size_t *text_length)
++{
++    struct stat st;
++    size_t bytes_read = 0;
++    char *tmp = NULL;
++
++    if (fstat(fd, &st) == -1) {
++        pam_syslog(pamh, LOG_ERR, "Unable to stat file: %m");
++        close(fd);
++        return PAM_AUTH_ERR;
++    }
++
++    if (st.st_size == 0) {
++        pam_syslog(pamh, LOG_ERR, "Key file size cannot be 0");
++        close(fd);
++        return PAM_AUTH_ERR;
++    }
++
++    tmp = malloc(st.st_size);
++    if (!tmp) {
++        pam_syslog(pamh, LOG_CRIT, "Not enough memory");
++        close(fd);
++        return PAM_AUTH_ERR;
++    }
++
++    bytes_read = pam_modutil_read(fd, tmp, st.st_size);
++    close(fd);
++
++    if (bytes_read < (size_t)st.st_size) {
++        pam_syslog(pamh, LOG_ERR, "Short read on key file");
++        memset(tmp, 0, st.st_size);
++        free(tmp);
++        return PAM_AUTH_ERR;
++    }
++
++    *text = tmp;
++    *text_length = st.st_size;
++
++    return PAM_SUCCESS;
++}
++
++static int
++write_file(pam_handle_t *pamh, const char *file_name, char *text,
++           size_t text_length, uid_t owner, gid_t group)
++{
++    int fd = 0;
++    size_t bytes_written = 0;
++
++    fd = open(file_name,
++              O_WRONLY | O_CREAT | O_TRUNC,
++              S_IRUSR | S_IWUSR);
++    if (fd == -1) {
++        pam_syslog(pamh, LOG_ERR, "Unable to open [%s]: %m", file_name);
++        memset(text, 0, text_length);
++        free(text);
++        return PAM_AUTH_ERR;
++    }
++
++    if (fchown(fd, owner, group) == -1) {
++        pam_syslog(pamh, LOG_ERR, "Unable to change ownership [%s]: %m", file_name);
++        memset(text, 0, text_length);
++        free(text);
++        close(fd);
++        return PAM_AUTH_ERR;
++    }
++
++    bytes_written = pam_modutil_write(fd, text, text_length);
++    close(fd);
++
++    if (bytes_written < text_length) {
++        pam_syslog(pamh, LOG_ERR, "Short write on %s", file_name);
++        free(text);
++        return PAM_AUTH_ERR;
++    }
++
++    return PAM_SUCCESS;
++}
++
++static int
++key_management(pam_handle_t *pamh, const char *file_name, char **text,
++                size_t text_length, uid_t owner, gid_t group)
++{
++    int fd = 0;
++
++    fd = open(file_name, O_RDONLY | O_NOFOLLOW);
++    if (fd == -1) {
++        if (errno == ENOENT) {
++            if (generate_key(pamh, text, text_length)) {
++                pam_syslog(pamh, LOG_ERR, "Unable to generate key");
++                return PAM_AUTH_ERR;
++            }
++
++            if (write_file(pamh, file_name, *text, text_length, owner, group)) {
++                pam_syslog(pamh, LOG_ERR, "Unable to write key");
++                return PAM_AUTH_ERR;
++            }
++        } else {
++            pam_syslog(pamh, LOG_ERR, "Unable to open %s: %m", file_name);
++            return PAM_AUTH_ERR;
++        }
++    } else {
++        if (read_file(pamh, fd, text, &text_length)) {
++            pam_syslog(pamh, LOG_ERR, "Error reading key file %s\n", file_name);
++            return PAM_AUTH_ERR;
++        }
++    }
++
++    return PAM_SUCCESS;
++}
++
++static int
++hmac_management(pam_handle_t *pamh, int debug, void **out, size_t *out_length,
++                char *key, size_t key_length,
++                const void *text, size_t text_length)
++{
++    int ret = PAM_AUTH_ERR;
++    EVP_MAC *evp_mac = NULL;
++    EVP_MAC_CTX *ctx = NULL;
++    unsigned char *hmac_message = NULL;
++    size_t hmac_length;
++    char *algo = NULL;
++    OSSL_PARAM subalg_param[] = { OSSL_PARAM_END, OSSL_PARAM_END };
++
++    algo = get_crypto_algorithm(pamh, debug);
++
++    subalg_param[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
++                                                       algo,
++                                                       0);
++
++    evp_mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
++    if (evp_mac == NULL) {
++        pam_syslog(pamh, LOG_ERR, "Unable to create hmac implementation");
++        goto done;
++    }
++
++    ctx = EVP_MAC_CTX_new(evp_mac);
++    if (ctx == NULL) {
++        pam_syslog(pamh, LOG_ERR, "Unable to create hmac context");
++        goto done;
++    }
++
++    ret = EVP_MAC_init(ctx, (const unsigned char *)key, key_length, subalg_param);
++    if (ret == 0) {
++        pam_syslog(pamh, LOG_ERR, "Unable to initialize hmac context");
++        goto done;
++    }
++
++    ret = EVP_MAC_update(ctx, (const unsigned char *)text, text_length);
++    if (ret == 0) {
++        pam_syslog(pamh, LOG_ERR, "Unable to update hmac context");
++        goto done;
++    }
++
++    hmac_message = (unsigned char*)malloc(sizeof(unsigned char) * MAX_HMAC_LENGTH);
++    if (!hmac_message) {
++        pam_syslog(pamh, LOG_CRIT, "Not enough memory");
++        goto done;
++    }
++
++    ret = EVP_MAC_final(ctx, hmac_message, &hmac_length, MAX_HMAC_LENGTH);
++    if (ret == 0) {
++        pam_syslog(pamh, LOG_ERR, "Unable to calculate hmac message");
++        goto done;
++    }
++
++    *out_length = hmac_length;
++    *out = malloc(*out_length);
++    if (*out == NULL) {
++        pam_syslog(pamh, LOG_CRIT, "Not enough memory");
++        goto done;
++    }
++
++    memcpy(*out, hmac_message, *out_length);
++    ret = PAM_SUCCESS;
++
++done:
++    if (hmac_message != NULL) {
++        free(hmac_message);
++    }
++    if (key != NULL) {
++        memset(key, 0, key_length);
++        free(key);
++    }
++    if (ctx != NULL) {
++        EVP_MAC_CTX_free(ctx);
++    }
++    if (evp_mac != NULL) {
++        EVP_MAC_free(evp_mac);
++    }
++    free(algo);
++
++    return ret;
++}
++
++int
++hmac_size(pam_handle_t *pamh, int debug, size_t *hmac_length)
++{
++    int ret = PAM_AUTH_ERR;
++    EVP_MAC *evp_mac = NULL;
++    EVP_MAC_CTX *ctx = NULL;
++    const unsigned char key[] = "ThisIsJustAKey";
++    size_t key_length = MAX_KEY_LENGTH;
++    char *algo = NULL;
++    OSSL_PARAM subalg_param[] = { OSSL_PARAM_END, OSSL_PARAM_END };
++
++    algo = get_crypto_algorithm(pamh, debug);
++
++    subalg_param[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
++                                                       algo,
++                                                       0);
++
++    evp_mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
++    if (evp_mac == NULL) {
++        pam_syslog(pamh, LOG_ERR, "Unable to create hmac implementation");
++        goto done;
++    }
++
++    ctx = EVP_MAC_CTX_new(evp_mac);
++    if (ctx == NULL) {
++        pam_syslog(pamh, LOG_ERR, "Unable to create hmac context");
++        goto done;
++    }
++
++    ret = EVP_MAC_init(ctx, key, key_length, subalg_param);
++    if (ret == 0) {
++        pam_syslog(pamh, LOG_ERR, "Unable to initialize hmac context");
++        goto done;
++    }
++
++    *hmac_length = EVP_MAC_CTX_get_mac_size(ctx);
++    ret = PAM_SUCCESS;
++
++done:
++    if (ctx != NULL) {
++        EVP_MAC_CTX_free(ctx);
++    }
++    if (evp_mac != NULL) {
++        EVP_MAC_free(evp_mac);
++    }
++    free(algo);
++
++    return ret;
++}
++
++int
++hmac_generate(pam_handle_t *pamh, int debug, void **mac, size_t *mac_length,
++              const char *key_file, uid_t owner, gid_t group,
++              const void *text, size_t text_length)
++{
++    char *key = NULL;
++    size_t key_length = MAX_KEY_LENGTH;
++
++    if (key_management(pamh, key_file, &key, key_length, owner, group)) {
++        return PAM_AUTH_ERR;
++    }
++
++    if (hmac_management(pamh, debug, mac, mac_length, key, key_length,
++                        text, text_length)) {
++        return PAM_AUTH_ERR;
++    }
++
++    return PAM_SUCCESS;
++}
++
++#endif /* WITH_OPENSSL */
+diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.h b/modules/pam_timestamp/hmac_openssl_wrapper.h
+new file mode 100644
+index 00000000..cc27c811
+--- /dev/null
++++ b/modules/pam_timestamp/hmac_openssl_wrapper.h
+@@ -0,0 +1,57 @@
++/* Wrapper for hmac openssl implementation.
++ *
++ * Copyright (c) 2021 Red Hat, Inc.
++ * Written by Iker Pedrosa <ipedrosa@redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, and the entire permission notice in its entirety,
++ *    including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ *    products derived from this software without specific prior
++ *    written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions.  (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++#ifndef PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H
++#define PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H
++
++#include "config.h"
++
++#ifdef WITH_OPENSSL
++
++#include <openssl/hmac.h>
++#include <security/pam_modules.h>
++
++int
++hmac_size(pam_handle_t *pamh, int debug, size_t *hmac_length);
++
++int
++hmac_generate(pam_handle_t *pamh, int debug, void **mac, size_t *mac_length,
++              const char *key_file, uid_t owner, gid_t group,
++              const void *text, size_t text_length);
++
++#endif /* WITH_OPENSSL */
++#endif /* PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H */
+diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml
+index e19a0bcf..83e5aea8 100644
+--- a/modules/pam_timestamp/pam_timestamp.8.xml
++++ b/modules/pam_timestamp/pam_timestamp.8.xml
+@@ -50,6 +50,11 @@ for the user.  When an application attempts to authenticate the user, a
+ <emphasis>pam_timestamp</emphasis> will treat a sufficiently recent timestamp
+ file as grounds for succeeding.
+     </para>
++    <para condition="openssl_hmac">
++      The default encryption hash is taken from the
++      <emphasis remap='B'>HMAC_CRYPTO_ALGO</emphasis> variable from
++      <emphasis>/etc/login.defs</emphasis>.
++    </para>
+   </refsect1>
+ 
+   <refsect1 id="pam_timestamp-options">
+diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
+index 30be883c..01dd1385 100644
+--- a/modules/pam_timestamp/pam_timestamp.c
++++ b/modules/pam_timestamp/pam_timestamp.c
+@@ -56,7 +56,11 @@
+ #include <utmp.h>
+ #include <syslog.h>
+ #include <paths.h>
++#ifdef WITH_OPENSSL
++#include "hmac_openssl_wrapper.h"
++#else
+ #include "hmacsha1.h"
++#endif /* WITH_OPENSSL */
+ 
+ #include <security/pam_modules.h>
+ #include <security/_pam_macros.h>
+@@ -79,6 +83,9 @@
+ #define BUFLEN PATH_MAX
+ #endif
+ 
++#define ROOT_USER 	0
++#define ROOT_GROUP 	0
++
+ /* Return PAM_SUCCESS if the given directory looks "safe". */
+ static int
+ check_dir_perms(pam_handle_t *pamh, const char *tdir)
+@@ -449,6 +456,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ 			return PAM_AUTH_ERR;
+ 		}
+ 
++#ifdef WITH_OPENSSL
++		if (hmac_size(pamh, debug, &maclen)) {
++			return PAM_AUTH_ERR;
++		}
++#else
++		maclen = hmac_sha1_size();
++#endif /* WITH_OPENSSL */
+ 		/* Check that the file is the expected size. */
+ 		if (st.st_size == 0) {
+ 			/* Invalid, but may have been created by sudo. */
+@@ -456,7 +470,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ 			return PAM_AUTH_ERR;
+ 		}
+ 		if (st.st_size !=
+-		    (off_t)(strlen(path) + 1 + sizeof(then) + hmac_sha1_size())) {
++		    (off_t)(strlen(path) + 1 + sizeof(then) + maclen)) {
+ 			pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' "
+ 			       "appears to be corrupted", path);
+ 			close(fd);
+@@ -487,8 +501,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ 		message_end = message + strlen(path) + 1 + sizeof(then);
+ 
+ 		/* Regenerate the MAC. */
+-		hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, 0, 0,
+-					message, message_end - message);
++#ifdef WITH_OPENSSL
++		if (hmac_generate(pamh, debug, &mac, &maclen, TIMESTAMPKEY,
++				  ROOT_USER, ROOT_GROUP, message, message_end - message)) {
++			close(fd);
++			free(message);
++			return PAM_AUTH_ERR;
++		}
++#else
++		hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY,
++					ROOT_USER, ROOT_GROUP, message, message_end - message);
++#endif /* WITH_OPENSSL */
+ 		if ((mac == NULL) ||
+ 		    (memcmp(path, message, strlen(path)) != 0) ||
+ 		    (memcmp(mac, message_end, maclen) != 0)) {
+@@ -605,8 +628,16 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char *
+ 		}
+ 	}
+ 
++#ifdef WITH_OPENSSL
++	if (hmac_size(pamh, debug, &maclen)) {
++		return PAM_SESSION_ERR;
++	}
++#else
++	maclen = hmac_sha1_size();
++#endif /* WITH_OPENSSL */
++
+ 	/* Generate the message. */
+-	text = malloc(strlen(path) + 1 + sizeof(now) + hmac_sha1_size());
++	text = malloc(strlen(path) + 1 + sizeof(now) + maclen);
+ 	if (text == NULL) {
+ 		pam_syslog(pamh, LOG_CRIT, "unable to allocate memory: %m");
+ 		return PAM_SESSION_ERR;
+@@ -621,15 +652,21 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char *
+ 	p += sizeof(now);
+ 
+ 	/* Generate the MAC and append it to the plaintext. */
+-	hmac_sha1_generate_file(pamh, &mac, &maclen,
+-				TIMESTAMPKEY,
+-				0, 0,
+-				text, p - text);
++#ifdef WITH_OPENSSL
++	if (hmac_generate(pamh, debug, &mac, &maclen, TIMESTAMPKEY,
++			  ROOT_USER, ROOT_GROUP, text, p - text)) {
++		free(text);
++		return PAM_SESSION_ERR;
++	}
++#else
++	hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY,
++				ROOT_USER, ROOT_GROUP, text, p - text);
+ 	if (mac == NULL) {
+ 		pam_syslog(pamh, LOG_ERR, "failure generating MAC: %m");
+ 		free(text);
+ 		return PAM_SESSION_ERR;
+ 	}
++#endif /* WITH_OPENSSL */
+ 	memmove(p, mac, maclen);
+ 	p += maclen;
+ 	free(mac);
+-- 
+2.31.1
+

SOURCES/pamtmp.conf

@@ -0,0 +1,5 @@
+d /run/console 0755 root root -
+d /run/faillock 0755 root root -
+d /run/sepermit 0755 root root -
+d /run/motd.d 0755 root root -
+f /var/log/tallylog 0600 root root -

SOURCES/password-auth.pamd

@@ -0,0 +1,18 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authselect is run.
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so try_first_pass nullok
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so

SOURCES/postlogin.5

@@ -0,0 +1,46 @@
+.TH POSTLOGIN 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
+.SH NAME
+
+postlogin \- Common configuration file for PAMified services
+
+.SH SYNOPSIS
+.B /etc/pam.d/postlogin
+.sp 2
+.SH DESCRIPTION
+
+The purpose of this PAM configuration file is to provide a common
+place for all PAM modules which should be called after the stack
+configured in
+.BR system-auth
+or the other common PAM configuration files.
+
+.sp
+The
+.BR postlogin
+configuration file is included from all individual service configuration
+files that provide login service with shell or file access.
+
+.SH NOTES
+The modules in the postlogin configuration file are executed regardless
+of the success or failure of the modules in the
+.BR system-auth
+configuration file.
+
+.SH BUGS
+.sp 2
+Sometimes it would be useful to be able to skip the postlogin modules in
+case the substack of the
+.BR system-auth
+modules failed. Unfortunately the current Linux-PAM library does not
+provide any way how to achieve this.
+
+.SH "SEE ALSO"
+pam(8), config-util(5), system-auth(5)
+
+The three
+.BR Linux-PAM
+Guides, for
+.BR "system administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "

SOURCES/postlogin.pamd

@@ -0,0 +1,8 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authselect is run.
+
+session optional                   pam_umask.so silent
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session [default=1]                pam_lastlog.so nowtmp showfailed
+session optional                   pam_lastlog.so silent noupdate showfailed

SOURCES/smartcard-auth.pamd

@@ -0,0 +1,19 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authselect is run.
+auth        required      pam_env.so
+auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     required      pam_permit.so
+
+password    optional      pam_pkcs11.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so

SOURCES/system-auth.5

@@ -0,0 +1,58 @@
+.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
+.SH NAME
+
+system-auth \- Common configuration file for PAMified services
+
+.SH SYNOPSIS
+.B /etc/pam.d/system-auth
+.B /etc/pam.d/password-auth
+.B /etc/pam.d/fingerprint-auth
+.B /etc/pam.d/smartcard-auth
+.sp 2
+.SH DESCRIPTION
+
+The purpose of these configuration files are to provide a common
+interface for all applications and service daemons calling into
+the PAM library.
+
+.sp
+The
+.BR system-auth
+configuration file is included from nearly all individual service configuration
+files with the help of the
+.BR substack
+directive.
+
+.sp
+The
+.BR password-auth
+.BR fingerprint-auth
+.BR smartcard-auth
+configuration files are for applications which handle authentication from
+different types of devices via simultaneously running individual conversations
+instead of one aggregate conversation.
+
+.SH NOTES
+Previously these common configuration files were included with the help
+of the
+.BR include
+directive. This limited the use of the different action types of modules.
+With the use of
+.BR substack
+directive to include these common configuration files this limitation
+no longer applies.
+
+.SH BUGS
+.sp 2
+None known.
+
+.SH "SEE ALSO"
+pam(8), config-util(5), postlogin(5)
+
+The three
+.BR Linux-PAM
+Guides, for
+.BR "system administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "

SOURCES/system-auth.pamd

@@ -0,0 +1,18 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authselect is run.
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so try_first_pass nullok
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so